CORS

Attach to:

Cross-origin resource sharing (CORS) CORS (Cross-Origin Resource Sharing) A security mechanism that allows web pages to make requests to a different domain than the one serving the web page. Agentgateway can configure CORS headers to control cross-origin access. is a browser security mechanism which allows a server to control which origins can request resources.

Tip

CORS is enforced on the browser, not the server. Requests that violate the CORS policy will still have responses returned, but the browser will reject them. As such, usage of tools like curl with cors can be confusing, as curl does not respect CORS headers.

Example:

cors:
  allowOrigins:
  - "*"
  allowHeaders:
  - mcp-protocol-version
  - content-type
  allowCredentials: true
  exposeHeaders:
  - x-my-header
  maxAge: 100s

Backend TLS CSRF