allow-method

The allow-method entry specifies which methods will be presented in preflight responses to clients as acceptable to use when making cross-origin requests to resources which this policy is applicable to.

allow-method = <method>

Description

A method which is permitted when making cross-origin requests to the resources protected by this policy. This configuration entry may be specified multiple times to indicate multiple allowable methods. A value of '*' can be specified to indicate that any method is acceptable, in this case the reverse proxy will respond with the method presented by the client in the Access-Control-Request-Method header. When configured with a header or list of headers, this configuration entry will add the following header to pre-flight responses:

Access-Control-Allow-Method = <any values given in this policy> 

When configured with '*', this configuration entry will add the following header to pre-flight responses:

Access-Control-Allow-Method = <any value presented by the client in the Acccess-Control-Request-Method>
• If a pre-flight request is received containing an Access-Control-Request-Method header with a value that is not acceptable, the reverse proxy will return a CORS error response.
• The following simple methods are considered always allowed and are never returned in the Access-Control-Allow-Method header:
  • GET
  • HEAD
  • POST

This entry only affects only pre-flight requests.

Options

header

This entry should either be '*' or a header name.

Usage: We can specify multiple entries if needed. The method matching performed is case sensitive.

If an '*' entry is specified, all other allow-header entries for this policy are ignored.

Default value: None.

Example: allow-method = PUT

Parent topic: [cors-policy:policy-name] stanza