Kitura-CORS is a cross-origin resource sharing (CORS) middleware. A webpage or script provided by a service may include references to resources or services hosted by another domain - such as a public service or resource. A browser's request for such a resource is an example of a cross-origin request, and is typically prohibited under the same-origin security policy.
CORS allows you to bypass the same-origin restriction in a controlled manner, so that resources can be shared between different domains. A CORS-capable client makes a 'pre-flight' request to the service hosting the resource at domain B with an
Origin header specifying domain A. That service can then respond to the client with an
Access-Control-Allow-Origin header which indicates whether access to this resource should be permitted.
You can use CORS middleware in your Kitura application to authorize external services to access resources or APIs that you provide.
The latest version of Kitura-CORS requires Swift 4.1.2. You can download this version of the Swift binaries by following this link. Compatibility with other Swift versions is not guaranteed.
Kitura-CORS package to the dependencies within your application’s
Package.swift file. Substitute
"x.x.x" with the latest
.package(url: "https://github.com/IBM-Swift/Kitura-CORS.git", from: "x.x.x")
KituraCORS to your target's dependencies:
.target(name: "example", dependencies: ["KituraCORS"]),
To create an instance of Kitura-CORS middleware use:
public init(options : Options)
- allowedOrigin - an enum that configures the
Access-Control-Allow-OriginCORS server response header. Possible values are:
- all - all origins are allowed.
Access-Control-Allow-Originwill be set to
*. This is the default.
- set - a set of allowed origins.
- origin - a single allowed origin.
- regex - a regular expression that defines allowed origins.
- all - all origins are allowed.
- credentials - a boolean value that indicates whether to set the
Access-Control-Allow-CredentialsCORS header. The header is set only if credentials is
true, otherwise the header is not passed. Defaults to
- methods - an array of methods to be passed in the
Access-Control-Allow-Methodsheader. The default set of methods to be passed is
- allowedHeaders - an array of allowed headers to configure the
Access-Control-Allow-HeadersCORS header. If not specified, the headers specified in the request's
Access-Control-Request-Headersheader are passed.
- maxAge - an integer to set the
Access-Control-Allow-Max-Ageheader. If not set, the header is omitted.
- exposedHeaders - an array of exposed headers to configure the
Access-Control-Expose-Headersheader. If not set, the header is omitted.
- preflightContinue - a boolean indicating whether a CORS preflight request should be passed on to route handlers to further customize the response. Defaults to
false, meaning that the CORS middleware will send an appropriate response back to the client immediately.
Please see the CORS documentation for more information about CORS.
First create an instance of
CORS. In the following example, the resource author has a resource which they would like http://www.abc.com to be able to access. Only the methods GET and PUT can be used in the actual request, the response can be cached for 5 seconds and only the Content-Type header will be used in the actual request:
import Kitura import KituraCORS let options = Options(allowedOrigin: .origin("http://www.abc.com"), methods: ["GET","PUT"], allowedHeaders: ["Content-Type"], maxAge: 5) let cors = CORS(options: options)
Kitura-CORS implements the RouterMiddleware protocol; therefore to connect the middleware to your path you need to use one of the
Router methods, for example:
let router = Router() router.all("/cors", middleware: cors)
For more information visit our API reference.
We love to talk server-side Swift, and Kitura. Join our Slack to meet the team!
This library is licensed under Apache 2.0. Full license text is available in LICENSE.
Help us keep the lights on
2.1.1 - Apr 12, 2019
- Build in Swift 5 mode (#40)