Configuring Glue for cross-origin requests

Edit on GitHub

By default, Glue REST API is configured to run using the same-origin policy, which remains the recommended default security level for web applications. However, taking into account that requests to Glue REST API can originate from touchpoints located across multiple domains, we made it possible to enable Cross-Origin Resource Sharing (CORS) in Glue. When CORS is enabled, Glue REST API can accept requests from a list of allowed origins or any origin, depending on the configuration.

To enable CORS support in Glue, follow the Installation Guide.

Configure CORS behavior

CORS is configured in Spryker Glue using environment variables. There are 2 levels where CORS can be configured: global and per-domain. On the global level, CORS is configured for the whole Glue Application. On the per-domain level, you can configure CORS behavior for each domain configured in Glue Application separately. For example, you can configure different lists of allowed origins for the and domains.

Per-domain configuration always prevails over the global one. For this reason, the recommended practice is to configure CORS behavior for each domain separately.

Configuration can be found in the following files:

  • Globalconfig/Shared/config_default.php.
  • Per-domainconfig/Shared/config_default_DE.php, where DE is the respective domain.

To configure CORS behavior, follow these steps:

  1. Open the necessary configuration file depending on which CORS configuration you want to set up.

  2. Modify the value of the GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN variable. You can set its value as follows:

    • <null>: CORS is disabled. Example:
    $config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '';
    • *: allow CORS requests from any domain. Example:
    $config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '*';
    • allow CORS requests only from the specified origin. Example:
    $config[GlueApplicationConstants::GLUE_APPLICATION_CORS_ALLOW_ORIGIN] = '';
  3. Save the file.

Verify the configuration

To verify that the configuration has been completed successfully, make an OPTIONS pre-flight request to any valid Glue resource with the correct Origin header, for example,, and make sure the following:

  • The Access-Control-Allow-Origin header is present and is the same as set in the configuration.
  • The Access-Control-Allow-Methods header is present and contains all available REST methods.

You can also make one of the available POST, PATCH, or DELETE requests (depending on the resource used) and verify that response headers are the same.