diff --git a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc index 0c6bb7eeb3..ad308ab477 100644 --- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc +++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc @@ -767,7 +767,7 @@ content into your application; rather pick only the properties that you need. endpoints.liquibase.id=liquibase endpoints.liquibase.sensitive=false - # ENDPOINTS CORS CONFIGURATION ({sc-spring-boot-actuator}/autoconfigure/MvcEndpointCorsProperties.{sc-ext}[MvcEndpointCorsProperties]) + # ENDPOINTS CORS CONFIGURATION ({sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties]) endpoints.cors.allow-credentials= # set whether user credentials are support. When not set, credentials are not supported. endpoints.cors.allowed-origins= # comma-separated list of origins to allow. * allows all origins. When not set, CORS support is disabled. endpoints.cors.allowed-methods= # comma-separated list of methods to allow. * allows all methods. When not set, defaults to GET. diff --git a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc index 743043770f..2db1dff3c5 100644 --- a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc +++ b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc @@ -186,6 +186,26 @@ If the https://github.com/mikekelly/hal-browser[HAL Browser] is on the classpath via its webjar (`org.webjars:hal-browser`), or via the `spring-data-rest-hal-browser` then an HTML "`discovery page`", in the form of the HAL Browser, is also provided. +[[production-ready-endpoint-cors]] +=== CORS support + +http://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing] +(CORS) is a http://www.w3.org/TR/cors/[W3C specification] that allows you to specify in a +flexible way what kind of cross domain requests are authorized. Actuator's MVC endpoints +can be configured to support such scenario. + +CORS support is disabled by default and is only enabled once the +`endpoints.cors.allowed-origins` property has been set. The configuration below permits +`GET` and `POST` calls from the `example.com` domain: + +[source,properties,indent=0] +---- + endpoints.cors.allowed-origins=http://example.com + endpoints.cors.allowed-methods=GET,POST +---- + +TIP: Check {sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties] +for a complete list of options. [[production-ready-customizing-endpoints-programmatically]]