Struct tower_http::cors::CorsLayer
source · pub struct CorsLayer { /* private fields */ }
Expand description
Layer that applies the Cors
middleware which adds headers for CORS.
See the module docs for an example.
Implementations§
source§impl CorsLayer
impl CorsLayer
sourcepub fn new() -> Self
pub fn new() -> Self
Create a new CorsLayer
.
No headers are sent by default. Use the builder methods to customize the behavior.
You need to set at least an allowed origin for browsers to make successful cross-origin requests to your service.
sourcepub fn permissive() -> Self
pub fn permissive() -> Self
A permissive configuration:
- All request headers allowed.
- All methods allowed.
- All origins allowed.
- All headers exposed.
sourcepub fn very_permissive() -> Self
pub fn very_permissive() -> Self
A very permissive configuration:
- Credentials allowed.
- The method received in
Access-Control-Request-Method
is sent back as an allowed method. - The origin of the preflight request is sent back as an allowed origin.
- The header names received in
Access-Control-Request-Headers
are sent back as allowed headers. - No headers are currently exposed, but this may change in the future.
sourcepub fn allow_credentials<T>(self, allow_credentials: T) -> Selfwhere
T: Into<AllowCredentials>,
pub fn allow_credentials<T>(self, allow_credentials: T) -> Selfwhere T: Into<AllowCredentials>,
Set the Access-Control-Allow-Credentials
header.
use tower_http::cors::CorsLayer;
let layer = CorsLayer::new().allow_credentials(true);
sourcepub fn allow_headers<T>(self, headers: T) -> Selfwhere
T: Into<AllowHeaders>,
pub fn allow_headers<T>(self, headers: T) -> Selfwhere T: Into<AllowHeaders>,
Set the value of the Access-Control-Allow-Headers
header.
use tower_http::cors::CorsLayer;
use http::header::{AUTHORIZATION, ACCEPT};
let layer = CorsLayer::new().allow_headers([AUTHORIZATION, ACCEPT]);
All headers can be allowed with
use tower_http::cors::{Any, CorsLayer};
let layer = CorsLayer::new().allow_headers(Any);
Note that multiple calls to this method will override any previous calls.
Also note that Access-Control-Allow-Headers
is required for requests that have
Access-Control-Request-Headers
.
sourcepub fn max_age<T>(self, max_age: T) -> Selfwhere
T: Into<MaxAge>,
pub fn max_age<T>(self, max_age: T) -> Selfwhere T: Into<MaxAge>,
Set the value of the Access-Control-Max-Age
header.
use std::time::Duration;
use tower_http::cors::CorsLayer;
let layer = CorsLayer::new().max_age(Duration::from_secs(60) * 10);
By default the header will not be set which disables caching and will require a preflight call for all requests.
Note that each browser has a maximum internal value that takes precedence when the Access-Control-Max-Age is greater. For more details see mdn.
If you need more flexibility, you can use supply a function which can dynamically decide the max-age based on the origin and other parts of each preflight request:
use std::time::Duration;
use http::{request::Parts as RequestParts, HeaderValue};
use tower_http::cors::{CorsLayer, MaxAge};
let layer = CorsLayer::new().max_age(MaxAge::dynamic(
|_origin: &HeaderValue, parts: &RequestParts| -> Duration {
// Let's say you want to be able to reload your config at
// runtime and have another middleware that always inserts
// the current config into the request extensions
let config = parts.extensions.get::<MyServerConfig>().unwrap();
config.cors_max_age
},
));
sourcepub fn allow_methods<T>(self, methods: T) -> Selfwhere
T: Into<AllowMethods>,
pub fn allow_methods<T>(self, methods: T) -> Selfwhere T: Into<AllowMethods>,
Set the value of the Access-Control-Allow-Methods
header.
use tower_http::cors::CorsLayer;
use http::Method;
let layer = CorsLayer::new().allow_methods([Method::GET, Method::POST]);
All methods can be allowed with
use tower_http::cors::{Any, CorsLayer};
let layer = CorsLayer::new().allow_methods(Any);
Note that multiple calls to this method will override any previous calls.
sourcepub fn allow_origin<T>(self, origin: T) -> Selfwhere
T: Into<AllowOrigin>,
pub fn allow_origin<T>(self, origin: T) -> Selfwhere T: Into<AllowOrigin>,
Set the value of the Access-Control-Allow-Origin
header.
use http::HeaderValue;
use tower_http::cors::CorsLayer;
let layer = CorsLayer::new().allow_origin(
"http://example.com".parse::<HeaderValue>().unwrap(),
);
Multiple origins can be allowed with
use tower_http::cors::CorsLayer;
let origins = [
"http://example.com".parse().unwrap(),
"http://api.example.com".parse().unwrap(),
];
let layer = CorsLayer::new().allow_origin(origins);
All origins can be allowed with
use tower_http::cors::{Any, CorsLayer};
let layer = CorsLayer::new().allow_origin(Any);
You can also use a closure
use tower_http::cors::{CorsLayer, AllowOrigin};
use http::{request::Parts as RequestParts, HeaderValue};
let layer = CorsLayer::new().allow_origin(AllowOrigin::predicate(
|origin: &HeaderValue, _request_parts: &RequestParts| {
origin.as_bytes().ends_with(b".rust-lang.org")
},
));
Note that multiple calls to this method will override any previous calls.
sourcepub fn expose_headers<T>(self, headers: T) -> Selfwhere
T: Into<ExposeHeaders>,
pub fn expose_headers<T>(self, headers: T) -> Selfwhere T: Into<ExposeHeaders>,
Set the value of the Access-Control-Expose-Headers
header.
use tower_http::cors::CorsLayer;
use http::header::CONTENT_ENCODING;
let layer = CorsLayer::new().expose_headers([CONTENT_ENCODING]);
All headers can be allowed with
use tower_http::cors::{Any, CorsLayer};
let layer = CorsLayer::new().expose_headers(Any);
Note that multiple calls to this method will override any previous calls.
sourcepub fn vary<T>(self, headers: T) -> Selfwhere
T: Into<Vary>,
pub fn vary<T>(self, headers: T) -> Selfwhere T: Into<Vary>,
Set the value(s) of the Vary
header.
In contrast to the other headers, this one has a non-empty default of
preflight_request_headers()
.
You only need to set this is you want to remove some of these defaults, or if you use a closure for one of the other headers and want to add a vary header accordingly.