keii.dev / cors-builder
A CORS Builder, performing validation and injection of CORS for misp, wisp and any framework!
fork atom

docs: improve docs

Signed-off-by: Guillaume Hivert <hivert.is.coming@gmail.com>

Guillaume Hivert 7aa1fc4a a0cdfd0b

options
unified split
Changed files
+18 -12
README.md
+18 -12
README.md
··· 1 1 # CORS Builder 2 2 3 - <!-- prettier-ignore --> 4 3 > [!IMPORTANT] 4 + > 5 5 > Before diving in CORS, 6 6 > [make sure you're aware of security advices](#more-details--notes-about-security) 7 7 > and see if you can't just use a simple proxy to avoid CORS! It's a better and ··· 18 18 out-of-the-box: 19 19 [`wisp_handle`](https://hexdocs.pm/cors_builder/cors_builder#wisp_handle) and 20 20 [`mist_handle`](https://hexdocs.pm/cors_builder/cors_builder#mist_handle) to 21 - integrate nicely in `wisp` and `mist`. You should never have to worry about CORS 21 + integrate nicely in [`wisp`](https://hexdocs.pm/wisp) and 22 + [`mist`](https://hexdocs.pm/mist). You should never have to worry about CORS 22 23 again! Use the package, configure your CORS, and everything should work 23 24 smoothly! 24 25 ··· 119 120 "preflight" request. This request takes the form of an `OPTIONS` request, which 120 121 should be answered positively by the server (meaning the response status code 121 122 should be 2XX) and should contains the appropriate CORS headers 122 - (`Access-Control` headers). 123 + (`access-control` headers). 123 124 124 125 In case the preflight request is not successful, the server will simply cancel 125 126 the HTTP request. But if the preflight request is successful, then the browser ··· 129 130 130 131 We distinguish different types of headers: the headers concerning the request 131 132 issuer (the caller) and the headers responded by the server. 133 + 134 + > [!NOTE] 135 + > 136 + > In HTTP2, all headers keys have to be lowercase, and gleam/http will enforce 137 + > this. All headers keys in this guide will be written in lowercase. 132 138 133 139 ### Response headers 134 140 ··· 137 143 simplify your development and let you focus on your application. We count 6 CORS 138 144 response headers: 139 145 140 - - `Access-Control-Allow-Origin`, indicates which origins are allowed to access 146 + - `access-control-allow-origin`, indicates which origins are allowed to access 141 147 the server. It can be a joker (`"*"`) or a unique domain 142 148 (`https://gleam.run`). It cannot contains multiple domains, but can response 143 149 to multiple different domains with the `VARY` header. You should not have to 144 150 take care of this, because the library provides it for you. 145 - - `Access-Control-Expose-Headers`, provides a whitelist of allowed headers for 151 + - `access-control-expose-headers`, provides a whitelist of allowed headers for 146 152 the browsers. Only the headers in the whitelist will be able to be used in the 147 153 response object in the JS code. It means if the response contains headers you 148 154 want to cache to the client, you can use this header. 149 - - `Access-Control-Max-Age`, allows to put the preflight response in cache, for a 155 + - `access-control-max-age`, allows to put the preflight response in cache, for a 150 156 specified amount of time. This avoids to rerun the `OPTIONS` request multiple 151 157 times. 152 - - `Access-Control-Allow-Credentials`, allows the request to includes credentials 158 + - `access-control-allow-credentials`, allows the request to includes credentials 153 159 authorizations. This can expose you to CSRF attack. Never activate this option 154 160 unless you carefully know what you're doing. 155 - - `Access-Control-Allow-Methods`, provides a whitelist of subsequent authorized 161 + - `access-control-allow-methods`, provides a whitelist of subsequent authorized 156 162 methods in the future requests. 157 - - `Access-Control-Allow-Headers`, indicates which headers are accepted by the 163 + - `access-control-allow-headers`, indicates which headers are accepted by the 158 164 server, and thus, which headers the browser will be able to send in subsequent 159 165 requests. 160 166 ··· 165 171 they're still referenced it, in case you encounter them.We count 3 CORS request 166 172 headers: 167 173 168 - - `Origin` contains the origin of the request. The browser will _always_ fill 174 + - `origin` contains the origin of the request. The browser will _always_ fill 169 175 this header automatically. 170 - - `Access-Control-Request-Method` contains the desired methods to use when 176 + - `access-control-request-method` contains the desired methods to use when 171 177 talking with the server. 172 - - `Access-Control-Request-Header` contains the desired headers that the request 178 + - `access-control-request-header` contains the desired headers that the request 173 179 want to have. 174 180 175 181 ## Contributing