Skip to main content

Setting up cross-origin resource sharing (CORS)

Ory Kratos' Public API supports CORS out of the box. A reference for this configuration can be found in the Configuration Reference.

For CORS to work properly, we encourage to set the following values:

serve:
public:
cors:
enabled: true
allowed_origins:
- https://example.org
- https://*.example.org
allowed_methods:
- POST
- GET
- PUT
- PATCH
- DELETE
allowed_headers:
- Authorization
- Cookie
- Content-Type
exposed_headers:
- Content-Type
- Set-Cookie