Cross-Origin Resource Sharing

The API supports Cross-Origin Resource Sharing (CORS) for requests from any origin. For more details on CORS and how it affects requests please refer to the W3 CORS Specification and this document on CORS-related security. When an Origin header is specified in the request, the following headers are added to requests, varying depending on whether the request is a preflight request (such as using the OPTIONS method) or otherwise:

Header

Preflight Only

Description

Access-Control-Allow-Credentials

NO

Indicates whether the response to request can be exposed. For preflight requests it indicates that the actual request can include user credentials.

Access-Control-Allow-Headers

YES

Indicates which header field names can be used during the actual request.

Access-Control-Allow-Methods

YES

Indicates which methods can be used during the actual request.

Access-Control-Allow-Origin

NO

Indicates whether a resource can be shared by returning the value of the Origin request header, "*", or "null".

Access-Control-Expose-Headers

NO

Indicates which headers are safe to be exposed.

Access-Control-Max-Age

YES

Indicates how long the results of the preflight request can be cached for.

Let's see it in action for a preflight request when the browser goes to https://example.com:

curl -i -X OPTIONS -H "Origin: https://example.com" https://api.cloudsmith.io/user/self/

HTTP/1.0 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: accept, accept-encoding, authorization, content-type, dnt, origin, user-agent, x-csrftoken, x-requested-with
Access-Control-Allow-Methods: DELETE, GET, OPTIONS, PATCH, POST, PUT
Access-Control-Allow-Origin: https://example.com
Access-Control-Expose-Headers: ETag, Link, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Interval, X-OAuth-Scopes, X-Accepted-OAuth-Scopes
Access-Control-Max-Age: 86400
[snip]

Then for the actual non-preflight request:

curl -i -H "Origin: https://example.com" https://api.cloudsmith.io/user/self/

HTTP/1.0 200 OK
Access-Control-Allow-Credentials: true
Access-Control-Allow-Origin: https://example.com
Access-Control-Expose-Headers: ETag, Link, X-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Reset, X-RateLimit-Interval, X-OAuth-Scopes, X-Accepted-OAuth-Scopes
[snip]

Cloudsmith is the new standard in Package / Artifact Management and Software Distribution

With support for all major package formats, you can trust us to manage your software supply chain.


Start My Free Trial Now
Cookie Declaration (Manage Cookies)