The API supports Cross-Origin Resource Sharing (CORS) for requests from any origin. For more details on CORS and how it affects requests please refer to the W3 CORS Specification and this document on CORS-related security. When an Origin header is specified in the request, the following headers are added to requests, varying depending on whether the request is a preflight request (such as using the OPTIONS method) or otherwise:
| Header | Preflight Only | Description |
|---|---|---|
| Access-Control-Allow-Credentials | NO | Indicates whether the response to request can be exposed. For preflight requests it indicates that the actual request can include user credentials. |
| Access-Control-Allow-Headers | YES | Indicates which header field names can be used during the actual request. |
| Access-Control-Allow-Methods | YES | Indicates which methods can be used during the actual request. |
| Access-Control-Allow-Origin | NO | Indicates whether a resource can be shared by returning the value of the Origin request header, "*", or "null". |
| Access-Control-Expose-Headers | NO | Indicates which headers are safe to be exposed. |
| Access-Control-Max-Age | YES | Indicates how long the results of the preflight request can be cached for. |
Let's see this in action for a preflight request when the browser goes to https://example.com:
curl -i -X OPTIONS -H "Origin: https://example.com" https://api.cloudsmith.io/user/self/
HTTP/1.0 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with
Access-Control-Allow-Methods: DELETE, GET, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: https://example.com
Access-Control-Expose-Headers: ETag, Link, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Interval, X-OAuth-Scopes, X-Accepted-OAuth-Scopes
Access-Control-Max-Age: 86400
[snip]
Then for the actual non-preflight request:
curl -i -H "Origin: https://example.com" https://api.cloudsmith.io/user/self/
HTTP/1.0 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://example.com
Access-Control-Expose-Headers: ETag, Link, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Interval, X-OAuth-Scopes, X-Accepted-OAuth-Scopes
[snip]