{"templateId":"markdown","sharedDataIds":{},"props":{"metadata":{"markdoc":{"tagList":["configOptionRequirements"]},"redocly_category":"Realm","type":"markdown"},"seo":{"title":"corsProxy","description":"OpenAPI-generated documentation tool with 24k+ stars on Github - make APIs your company's superpower.","siteUrl":"https://redocly.com","image":"/assets/redocly-card.f670aae34a39545a5ea633a540cb3a4a333a1f23bb2ed3c4a1b17a5fbcf0ac85.db81178d.png","lang":"en-US","llmstxt":{"hide":false,"sections":[{"title":"Table of contents","includeFiles":["**/*"],"excludeFiles":[]}],"excludeFiles":[]}},"dynamicMarkdocComponents":[],"compilationErrors":[],"ast":{"$$mdtype":"Tag","name":"article","attributes":{},"children":[{"$$mdtype":"Tag","name":"Heading","attributes":{"level":1,"id":"corsproxy","__idx":0},"children":[{"$$mdtype":"Tag","name":"code","attributes":{},"children":["corsProxy"]}]},{"$$mdtype":"Tag","name":"ConfigOptionRequirements","attributes":{"products":["Redoc","Revel","Reef","Realm"],"plans":["Pro","Enterprise","Enterprise+"]},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["Redocly projects include a built-in CORS proxy at ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/_api/cors/"]}," that lets browser-based features (such as the ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["Try it"]}," console) reach APIs on different origins without running into CORS restrictions."]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["By default, the proxy forwards requests to any remote URL."," ","Use ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["corsProxy"]}," to only forward URLs to an explicit allowlist of URL prefixes so that only known API hosts can be reached through your project's domain."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"options","__idx":1},"children":["Options"]},{"$$mdtype":"Tag","name":"div","attributes":{"className":"md-table-wrapper"},"children":[{"$$mdtype":"Tag","name":"table","attributes":{"className":"md"},"children":[{"$$mdtype":"Tag","name":"thead","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Option"},"children":["Option"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Type"},"children":["Type"]},{"$$mdtype":"Tag","name":"th","attributes":{"data-label":"Description"},"children":["Description"]}]}]},{"$$mdtype":"Tag","name":"tbody","attributes":{},"children":[{"$$mdtype":"Tag","name":"tr","attributes":{},"children":[{"$$mdtype":"Tag","name":"td","attributes":{},"children":["allowedTargets"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["[string]"]},{"$$mdtype":"Tag","name":"td","attributes":{},"children":["List of URL prefixes the CORS proxy is allowed to forward requests to."," ","Each entry is matched as a ",{"$$mdtype":"Tag","name":"strong","attributes":{},"children":["prefix"]}," against the full target URL."," ","When the list is non-empty, any request whose target does not start with one of these prefixes is rejected with a ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["403"]}," response."," ","When omitted or empty, the proxy forwards requests to any URL (default behavior)."]}]}]}]}]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"examples","__idx":2},"children":["Examples"]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"restrict-to-a-single-api","__idx":3},"children":["Restrict to a single API"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"yaml","header":{"controls":{"copy":{}}},"source":"corsProxy:\n  allowedTargets:\n    - https://api.example.com/v1/\n","lang":"yaml"},"children":[]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["With this configuration, ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/_api/cors/https://api.example.com/v1/users"]}," is proxied, but ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["/_api/cors/https://evil.com/steal"]}," is blocked."]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"allow-multiple-hosts","__idx":4},"children":["Allow multiple hosts"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"yaml","header":{"controls":{"copy":{}}},"source":"corsProxy:\n  allowedTargets:\n    - https://api.example.com/\n    - https://cdn.example.com/assets/\n    - https://partner-api.acme.io/v2/\n","lang":"yaml"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":3,"id":"unrestricted-default","__idx":5},"children":["Unrestricted (default)"]},{"$$mdtype":"Tag","name":"p","attributes":{},"children":["When ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["corsProxy"]}," is not specified, or ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["allowedTargets"]}," is empty, the proxy forwards requests to any URL:"]},{"$$mdtype":"Tag","name":"CodeBlock","attributes":{"data-language":"yaml","header":{"controls":{"copy":{}}},"source":"corsProxy:\n  allowedTargets: []\n","lang":"yaml"},"children":[]},{"$$mdtype":"Tag","name":"Heading","attributes":{"level":2,"id":"resources","__idx":6},"children":["Resources"]},{"$$mdtype":"Tag","name":"ul","attributes":{},"children":[{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/docs/realm/config"},"children":["Configuration options"]}]}," - Explore other project configuration options"]},{"$$mdtype":"Tag","name":"li","attributes":{},"children":[{"$$mdtype":"Tag","name":"strong","attributes":{},"children":[{"$$mdtype":"Tag","name":"MarkdownLink","attributes":{"href":"/docs/realm/config/openapi/cors-proxy-url"},"children":["OpenAPI ",{"$$mdtype":"Tag","name":"code","attributes":{},"children":["corsProxyUrl"]}]}]}," - Configure the CORS proxy URL used by the Try it console"]}]}]},"headings":[{"value":"corsProxy","id":"corsproxy","depth":1},{"value":"Options","id":"options","depth":2},{"value":"Examples","id":"examples","depth":2},{"value":"Restrict to a single API","id":"restrict-to-a-single-api","depth":3},{"value":"Allow multiple hosts","id":"allow-multiple-hosts","depth":3},{"value":"Unrestricted (default)","id":"unrestricted-default","depth":3},{"value":"Resources","id":"resources","depth":2}],"frontmatter":{"products":["Redoc","Revel","Reef","Realm"],"plans":["Pro","Enterprise","Enterprise+"],"description":"Restrict the built-in CORS proxy to specific remote hosts and paths.","seo":{"title":"corsProxy"}},"lastModified":"2026-04-08T14:26:41.000Z","pagePropGetterError":{"message":"","name":""}},"slug":"/docs/realm/config/cors-proxy","userData":{"isAuthenticated":false,"teams":["anonymous"]},"isPublic":true}