---
layout: api
page_title: /sys/config/cors - HTTP API
description: >-
  The '/sys/config/cors' endpoint configures how the Vault server responds to
  cross-origin requests.
---

# `/sys/config/cors`

@include 'alerts/restricted-root.mdx'

The `/sys/config/cors` endpoint is used to configure CORS settings.

- **`sudo` required** – All CORS endpoints require `sudo` capability in
  addition to any path-specific capabilities.

## Read CORS settings

This endpoint returns the current CORS configuration. 

| Method | Path               |
| :----- | :----------------- |
| `GET`  | `/sys/config/cors` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    http://127.0.0.1:8200/v1/sys/config/cors
```

### Sample response

```json
{
  "enabled": true,
  "allowed_origins": ["http://www.example.com"],
  "allowed_headers": [
    "Content-Type",
    "X-Requested-With",
    "X-Vault-AWS-IAM-Server-ID",
    "X-Vault-No-Request-Forwarding",
    "X-Vault-Token",
    "Authorization",
    "X-Vault-Wrap-Format",
    "X-Vault-Wrap-TTL"
  ]
}
```

## Configure CORS settings

This endpoint allows configuring the origins that are permitted to make
cross-origin requests, as well as headers that are allowed on cross-origin requests.

<EnterpriseAlert>

The CORS configuration endpoint does not apply changes across clusters. If you
use performance replication, you must invoke the configuration endpoint on each
secondary cluster independently to mirror the primary cluster CORS
configuration.

</EnterpriseAlert>

| Method | Path               |
| :----- | :----------------- |
| `POST` | `/sys/config/cors` |

### Parameters

- `allowed_origins` `(string or string array: <required>)` – A wildcard (`*`), comma-delimited string, or array of strings specifying the origins that are permitted to make cross-origin requests.

- `allowed_headers` `(string or string array: "" or [])` – A comma-delimited string or array of strings specifying headers that are permitted to be on cross-origin requests. Headers set via this parameter will be appended to the list of headers that Vault allows by default.

### Sample payload

```json
{
  "allowed_origins": "*",
  "allowed_headers": "X-Custom-Header"
}
```

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request POST \
    --data @payload.json \
    http://127.0.0.1:8200/v1/sys/config/cors
```

## Delete CORS settings

This endpoint removes any CORS configuration.

| Method   | Path               |
| :------- | :----------------- |
| `DELETE` | `/sys/config/cors` |

### Sample request

```shell-session
$ curl \
    --header "X-Vault-Token: ..." \
    --request DELETE \
    http://127.0.0.1:8200/v1/sys/config/cors
```