CORS (Cross-Origin Resource Sharing) middleware for Gin.
go get github.com/gin-contrib/cors
Import in your Go code:
import "github.com/gin-contrib/cors"
Allow all origins (default):
import (
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.Default()
router.Use(cors.Default()) // All origins allowed by default
router.Run()
}
⚠️ Warning: Allowing all origins disables cookies for clients. For credentialed requests, do not allow all origins.
Configure allowed origins, methods, headers, and more:
import (
"time"
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.Default()
router.Use(cors.New(cors.Config{
AllowOrigins: []string{"https://foo.com"},
AllowMethods: []string{"PUT", "PATCH"},
AllowHeaders: []string{"Origin"},
ExposeHeaders: []string{"Content-Length"},
AllowCredentials: true,
AllowOriginFunc: func(origin string) bool {
return origin == "https://github.com"
},
MaxAge: 12 * time.Hour,
}))
router.Run()
}
Start with library defaults and customize as needed:
import (
"github.com/gin-contrib/cors"
"github.com/gin-gonic/gin"
)
func main() {
router := gin.Default()
config := cors.DefaultConfig()
config.AllowOrigins = []string{"http://google.com"}
// config.AllowOrigins = []string{"http://google.com", "http://facebook.com"}
// config.AllowAllOrigins = true
router.Use(cors.New(config))
router.Run()
}
Note:
Default()allows all origins, butDefaultConfig()does not. To allow all origins, setAllowAllOrigins = true.
Enable all origins with a single call:
router.Use(cors.Default()) // Equivalent to AllowAllOrigins = true
The middleware is controlled via the cors.Config struct. All fields are optional unless otherwise stated.
AllowAllOrigins bool false If true, allows all origins. Credentials cannot be used. AllowOrigins []string [] List of allowed origins. Supports exact match, *, and wildcards. AllowOriginFunc func(string) bool nil Custom function to validate origin. If set, AllowOrigins is ignored. AllowOriginWithContextFunc func(*gin.Context,string)bool nil Like AllowOriginFunc, but with request context. AllowMethods []string []string{"GET", "POST", "PUT", "PATCH", "DELETE", "HEAD", "OPTIONS"} Allowed HTTP methods. AllowPrivateNetwork bool false Adds Private Network Access CORS header. AllowHeaders []string [] List of non-simple headers permitted in requests. AllowCredentials bool false Allow cookies, HTTP auth, or client certs. Only if precise origins are used. ExposeHeaders []string [] Headers exposed to the browser. MaxAge time.Duration 12 * time.Hour Cache time for preflight requests. AllowWildcard bool false Enables wildcards in origins (e.g. https://*.example.com). AllowBrowserExtensions bool false Allow browser extension schemes as origins (e.g. chrome-extension://). CustomSchemas []string nil Additional allowed URI schemes (e.g. tauri://). AllowWebSockets bool false Allow ws:// and wss:// schemas. AllowFiles bool false Allow file:// origins (dangerous; use only if necessary). OptionsResponseStatusCode int 204 Custom status code for OPTIONS responses.
AllowAllOrigins, AllowOrigins, AllowOriginFunc, or AllowOriginWithContextFunc should be set.AllowAllOrigins is true, other origin settings are ignored and credentialed requests are not allowed.AllowWildcard is enabled, only one * is allowed per origin string.AllowBrowserExtensions, AllowWebSockets, or AllowFiles to permit non-HTTP(s) protocols as origins.tauri://, etc.).AllowOriginFunc and AllowOriginWithContextFunc are set, the context-specific function is preferred.config := cors.Config{
AllowOrigins: []string{"https://*.foo.com", "https://bar.com"},
AllowWildcard: true,
AllowMethods: []string{"GET", "POST"},
AllowHeaders: []string{"Authorization", "Content-Type"},
AllowCredentials: true,
AllowBrowserExtensions: true,
AllowWebSockets: true,
AllowFiles: false,
CustomSchemas: []string{"tauri://"},
MaxAge: 24 * time.Hour,
ExposeHeaders: []string{"X-Custom-Header"},
AllowPrivateNetwork: true,
}
config := cors.Config{
AllowOriginFunc: func(origin string) bool {
// Allow any github.com subdomain or a custom rule
return strings.HasSuffix(origin, "github.com")
},
}
config := cors.Config{
AllowOriginWithContextFunc: func(c *gin.Context, origin string) bool {
// Allow only if a certain header is present
return c.Request.Header.Get("X-Allow-CORS") == "yes"
},
}
Dynamically add methods or headers to the config:
config.AddAllowMethods("DELETE", "OPTIONS")
config.AddAllowHeaders("X-My-Header")
config.AddExposeHeaders("X-Other-Header") Validation & Error Handling
Validate() on a Config checks for misconfiguration (called internally).AllowAllOrigins is set, you cannot also set AllowOrigins or any AllowOriginFunc.AllowAllOrigins, AllowOriginFunc, nor AllowOrigins is set, an error is raised.AllowOrigin contains a wildcard but AllowWildcard is not enabled, or more than one * is present, a panic is triggered.AllowAllOrigins is enabled, Gin cannot set cookies for clients. If you need credential sharing (cookies, authentication headers), do not allow all origins.RetroSearch is an open source project built by @garambo | Open a GitHub Issue
Search and Browse the WWW like it's 1997 | Search results from DuckDuckGo
HTML:
3.2
| Encoding:
UTF-8
| Version:
0.7.4