CORS Configuration

Cross-Origin Resource Sharing (CORS) controls which web origins can access your MinIO AIStor resources. MinIO AIStor supports both global and per-bucket CORS configuration.

Global CORS settings

Configure global CORS behavior using the MINIO_API_CORS_ALLOW_ORIGIN environment variable or the api cors_allow_origin configuration setting.

Set a comma-separated list of allowed origins:

export MINIO_API_CORS_ALLOW_ORIGIN="https://app.example.com,https://dashboard.example.com"

The default value is * (all origins).

Wildcard origin and credentials

When cors_allow_origin is *, MinIO AIStor echoes the requesting origin with Access-Control-Allow-Credentials: true by default. This behavior is controlled by MINIO_API_CORS_ALLOW_CREDENTIALS_WITH_WILDCARD.

Set to off for stricter CORS compliance in production environments.

Per-bucket CORS configuration

MinIO AIStor supports the S3 CORS specification for per-bucket configuration. Each bucket can have up to 100 CORS rules.

Per-bucket CORS configuration takes precedence over the global setting. If a bucket has CORS rules configured, they are used instead of the global configuration.

Manage bucket CORS

Use the mc CLI to manage per-bucket CORS rules:

mc cors set ALIAS/BUCKET cors-config.xml

mc cors get ALIAS/BUCKET

mc cors remove ALIAS/BUCKET

See mc cors set, mc cors get, and mc cors remove for full command reference.

Example CORS configuration

Allow a web application to access objects in a bucket:

<CORSConfiguration>
  <CORSRule>
    <AllowedOrigin>https://app.example.com</AllowedOrigin>
    <AllowedMethod>GET</AllowedMethod>
    <AllowedMethod>PUT</AllowedMethod>
    <AllowedMethod>HEAD</AllowedMethod>
    <AllowedHeader>*</AllowedHeader>
    <ExposeHeader>ETag</ExposeHeader>
    <MaxAgeSeconds>3600</MaxAgeSeconds>
  </CORSRule>
</CORSConfiguration>

You can also configure per-bucket CORS using the S3 API directly with the PutBucketCors, GetBucketCors, and DeleteBucketCors operations.