Stay organized with collections
Save and categorize content based on your preferences.
OpenAPI | gRPC
CORS (Cross-origin resource sharing) is a standard mechanism that allows XMLHttpRequest (XHR) calls executed in a web page to interact with resources from different origins. Without CORS, the same-origin policy enforced by all browsers would prevent cross-origin requests. For more background information on CORS, see the Mozilla Developer Network (MDN) reference documentation.
The CORS standard requires that web clients issue a CORS preflight OPTIONS to determine if the requested web server supports CORS. If a web server supports CORS request, it will handle the OPTIONS request with proper CORS response headers.
Handle CORS in your backend application
If your backend supports CORS, you can configure ESP or ESPv2 to pass the CORS request to your backend.
you can enable pass-through in the OpenAPI spec for your API as shown below:
If your backend does not support CORS, you can configure ESP or ESPv2 to handle CORS requests by specifying CORS startup flags. In this approach, CORS Preflight requests will not pass through to your backend application. Additionally, ESP or ESPv2 will append the configured CORS headers to responses from the backend service when appropriate.
The following CORS startup options are available for ESP and ESPv2
[[["Easy to understand","easyToUnderstand","thumb-up"],["Solved my problem","solvedMyProblem","thumb-up"],["Other","otherUp","thumb-up"]],[["Hard to understand","hardToUnderstand","thumb-down"],["Incorrect information or sample code","incorrectInformationOrSampleCode","thumb-down"],["Missing the information/samples I need","missingTheInformationSamplesINeed","thumb-down"],["Other","otherDown","thumb-down"]],["Last updated 2025-08-28 UTC."],[[["\u003cp\u003eCORS (Cross-origin resource sharing) allows web pages to interact with resources from different origins, bypassing the same-origin policy enforced by browsers.\u003c/p\u003e\n"],["\u003cp\u003eWeb servers supporting CORS respond to preflight \u003ccode\u003eOPTIONS\u003c/code\u003e requests with appropriate CORS headers, as required by the CORS standard.\u003c/p\u003e\n"],["\u003cp\u003eYou can configure ESP or ESPv2 to pass CORS requests to your backend if the backend supports CORS by enabling pass-through in the OpenAPI specification.\u003c/p\u003e\n"],["\u003cp\u003eIf your backend doesn't support CORS, ESP or ESPv2 can be configured to handle CORS requests using specific startup flags, preventing preflight requests from reaching the backend.\u003c/p\u003e\n"],["\u003cp\u003eWhen handling CORS via ESPv2, the preflight \u003ccode\u003eOPTIONS\u003c/code\u003e requests must include a valid \u003ccode\u003eOrigin\u003c/code\u003e and \u003ccode\u003eAccess-Control-Request-Method\u003c/code\u003e header to be handled properly.\u003c/p\u003e\n"]]],[],null,["# Enabling CORS support for Endpoints\n\nOpenAPI \\| gRPC\n\n\u003cbr /\u003e\n\nCORS (Cross-origin resource sharing) is a standard mechanism that allows XMLHttpRequest (XHR) calls executed in a web page to interact with resources from different origins. Without CORS, the [same-origin policy](https://developer.mozilla.org/docs/Web/Security/Same-origin_policy) enforced by all browsers would prevent cross-origin requests. For more background information on CORS, see the [Mozilla Developer Network (MDN) reference documentation](https://developer.mozilla.org/docs/Web/HTTP/CORS).\n\nThe CORS standard requires that web clients issue a CORS preflight `OPTIONS` to determine if the requested web server supports CORS. If a web server supports CORS request, it will handle the `OPTIONS` request with proper CORS response headers.\n\nHandle CORS in your backend application\n---------------------------------------\n\nIf your backend supports CORS, you can configure ESP or ESPv2 to pass the CORS request to your backend.\nyou can enable pass-through in the OpenAPI spec for your API as shown below: \n\n```text\nswagger: \"2.0\"\nhost: \"my-cool-api.endpoints.my-project-id.cloud.goog\"\nx-google-endpoints:\n- name: \"my-cool-api.endpoints.my-project-id.cloud.goog\"\n allowCors: True\n```\n| **Warning:** the `name` field under `x-google-endpoints` must match the `host` field value. Both fields should use the endpoint service name.\n\nHandle CORS with ESP or ESPv2\n-----------------------------\n\nIf your backend does not support CORS, you can configure ESP or ESPv2 to handle CORS requests by specifying CORS startup flags. In this approach, [CORS Preflight requests](https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS#preflighted_requests) will not pass through to your backend application. Additionally, ESP or ESPv2 will append the configured CORS headers to responses from the backend service when appropriate.\n\nThe following CORS startup options are available for ESP and ESPv2\n\n- [ESP CORS startup flags](/endpoints/docs/openapi/specify-proxy-startup-options#adding_cors_support_to_esp)\n- [ESPv2 CORS startup flags](/endpoints/docs/openapi/specify-esp-v2-startup-options#cors)\n\n\u003cbr /\u003e\n\n| **Warning:** if CORS is handled by ESPv2, the `OPTIONS` CORS preflight request must have a valid `Origin` and `Access-Control-Request-Method` headers, otherwise it will not be handled properly."]]
