Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) is a header based mechanism to define how requests to the gateway should look like. The specification includes a set of headers to control the domains the gateway can be accessed from, the headers the request can send and the allowed HTTP methods.

The managed Grafbase gateway allows a subset of CORS settings to be defined.

Value in seconds, how long the response to the preflight request can be cached without sending another preflight request. The Grafbase default is 88400 seconds, but if defining the CORS rules in the Grafbase SDK without setting the maxAge value, the header is omitted and results can be cached indefinitely.

import { auth, config, graph } from '@grafbase/sdk'

const g = graph.Standalone()

export default config({
  graph: g,
  cors: {
    maxAge: 88400,
  },
})

The header specifies a single origin from which the browser can access the gateway. The SDK allows defining multiple origins in its CORS settings, and the returned header value will be the origin of the request if it is any of the defined origins. The value can be set to '*', meaning any origin is allowed to request the gateway. The origin values are of URL type, preventing the use of string values that are not valid URLs.

import { auth, config, graph } from '@grafbase/sdk'

const g = graph.Standalone()

const cfg = config({
  graph: g,
  cors: {
    allowedOrigins: [new URL('https://example.com')],
  },
})

For any origin:

import { auth, config, graph } from '@grafbase/sdk'

const g = graph.Standalone()

const cfg = config({
  graph: g,
  cors: {
    allowedOrigins: '*',
  },
})

If CORS settings are present, but no value is set for allowedOrigins, the header will not be defined in the preflight response. The Grafbase default value when the CORS settings are completely omitted is '*';

It is recommended to have https://app.grafbase.com as one of the allowed origins, or '*', for the Pathfinder in the Grafbase dashboard to work.