News Automating License Validity Checks with KrakenD

Enterprise Documentation

Recent changes

You are viewing a previous version of KrakenD Enterprise Edition (v1.3) , go to the latest version

Cross-Origin Resource Sharing (CORS) Configuration

Document updated on Jul 10, 2020

When KrakenD endpoints are consumed from a browser, you might need to enable the Cross-Origin Resource Sharing (CORS) module as browsers restrict cross-origin HTTP requests initiated from scripts.

When the Cross-Origin Resource Sharing (CORS) configuration is enabled, KrakenD uses additional HTTP headers to tell browsers that they can use resources from a different origin (domain, protocol, or port). For instance, you will need this configuration if your web page is hosted at and the Javascript references the KrakenD API at


CORS configuration lives in the root of the file, as it’s a service component. Add the namespace github_com/devopsfaith/krakend-cors under the global extra_config, as follows:

  "version": 2,
  "extra_config": {
    "github_com/devopsfaith/krakend-cors": {
      "allow_origins": [
      "allow_methods": [
      "expose_headers": [
      "max_age": "12h",
      "allow_headers": [
      "allow_credentials": false,
      "debug": false

The configuration options of this component are as follows:

  • allow_methods (list): The array of all HTTP methods accepted, in uppercase.
  • allow_origins (list): An array with all the origins allowed, examples of values are, or * (any origin).
  • expose_headers (list): Headers that are safe to expose to the API of a CORS API specification
  • max_age (string): For how long the response can be cached. The value needs to specify units. Valid time units are: ns, us, (or ┬Ás), ms, s, m, h E.g., 12h for 12 hours.
  • allow_credentials (boolean): When requests can include user credentials like cookies, HTTP authentication or client side SSL certificates
  • debug: (boolean): Show debugging information in the logger, to be used only during development (defaults to false)
Allow credentials and wildcards
According to the CORS specification, you are not allowed to use wildcards and credentials at the same time. If you need to do this, check this workaround

Unresolved issues?

The documentation is only a piece of the help you can get! Whether you are looking for Open Source or Enterprise support, see more support channels that can help you.