Configuring CORS for Cross-Domain Applications in digiRunner

Q: How do I configure CORS to allow my frontend application to call the digiRunner Gateway from a different domain?

A: When using a frontend-backend separated architecture, handling Cross-Origin Resource Sharing (CORS) is often required. digiRunner fully supports cross-domain requests. You can configure this by adjusting the property files and ensuring your backend API sends the appropriate headers.

1. Modifying Allowed Headers

digiRunner includes a default set of allowed headers. To support custom headers from your frontend, edit the config/application.properties file.

• Locate the property: cors.allow.headers

• Default Configuration: YYY,Content-Type,Authorization,SignCode,Language,XXX

• Example: If your application uses X-Custom-Header, update the property as follows:

cors.allow.headers=X-Custom-Header,Content-Type,Authorization,SignCode,Language

• Version Requirement: This configuration is supported in digiRunner v4.0.49 and above.

2. Handling Standard CORS Headers (Methods, Credentials, Origin)

digiRunner passes through CORS headers sent by your backend API. You do not need to configure these in digiRunner’s UI; ensure your backend API returns them in its response. digiRunner will forward these headers to the browser, including for preflight OPTIONS requests.

• Access-Control-Allow-Methods: Configure this in your backend API (e.g., GET, POST, PUT, DELETE).

• Access-Control-Allow-Credentials: If your frontend sends cookies (credentials: 'include'), your backend must return true.

• Access-Control-Allow-Origin: Your backend must specify the allowed origin.

3. Security Best Practices & System Parameters

To enhance security against CSRF, XSS, and Host Injection attacks, fine-tune CORS behavior via the Admin Console under System Config > Setting:

Keywords: CORS, Cross-Origin Resource Sharing, Frontend Integration, API Gateway, Access-Control-Allow-Origin, Preflight OPTIONS