惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threat Research - Cisco Blogs
博客园 - 聂微东
小众软件
小众软件
P
Proofpoint News Feed
Security Archives - TechRepublic
Security Archives - TechRepublic
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
TaoSecurity Blog
TaoSecurity Blog
博客园 - 司徒正美
罗磊的独立博客
N
News and Events Feed by Topic
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
S
Security Affairs
S
Security @ Cisco Blogs
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
The GitHub Blog
The GitHub Blog
月光博客
月光博客
S
Secure Thoughts
P
Proofpoint News Feed
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Forbes - Security
Forbes - Security
H
Heimdal Security Blog
W
WeLiveSecurity
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
L
LangChain Blog
T
The Blog of Author Tim Ferriss
NISL@THU
NISL@THU
Google DeepMind News
Google DeepMind News
Cloudbric
Cloudbric
H
Hacker News: Front Page
The Last Watchdog
The Last Watchdog
Hacker News - Newest:
Hacker News - Newest: "LLM"
C
Cisco Blogs
博客园 - 三生石上(FineUI控件)
博客园_首页
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
S
Schneier on Security
Project Zero
Project Zero
SecWiki News
SecWiki News
爱范儿
爱范儿
The Register - Security
The Register - Security
AI
AI
H
Hackread – Cybersecurity News, Data Breaches, AI and More
Y
Y Combinator Blog
L
Lohrmann on Cybersecurity
Application and Cybersecurity Blog
Application and Cybersecurity Blog
P
Privacy International News Feed
J
Java Code Geeks
S
Securelist
C
Cyber Attacks, Cyber Crime and Cyber Security
V
Visual Studio Blog

NGINX Community Blog

External Authentication Policy in NGINX Ingress Controller: A Real World Use Case – NGINX Community Blog External Authentication Policy in NGINX Ingress Controller: Patterns for VirtualServer and Ingress – NGINX Community Blog mTLS Policies in NGINX Ingress Controller – NGINX Community Blog Optimising NGINX Ingress Controller Startup Performance – NGINX Community Blog Meet With Us: NGINX Gateway Fabric & NGINX Ingress Controller Community Calls  – NGINX Community Blog Security, Performance, and Easier Migration – NGINX Community Blog Strengthening the NGINX Community – NGINX Community Blog F5 WAF for NGINX Comes to the Gateway API – NGINX Community Blog How NGINX Ingress Controller and NGINX Gateway Fabric Handle Kubernetes Backend Changes Natively – NGINX Community Blog Cache Policy in NGINX Ingress Controller: A Practical Guide for VirtualServer – NGINX Community Blog Access Control Policy in NGINX Ingress Controller: Patterns for Ingress – NGINX Community Blog Enterprise-Grade Features and Gateway API 1.5 Conformance – NGINX Community Blog NGINX OSS 1.29.6 and 1.29.7: Open-sourced Session Persistence, Multipath TCP and More – NGINX Community Blog Keep-alive to upstreams is now default in NGINX 1.29.7 – NGINX Community Blog A Community Hub for NGINX on Kubernetes, Including a New Ingress-NGINX Migration Tool – NGINX Community Blog
CORS Policy in NGINX Ingress Controller v5.4.0: Patterns for VirtualServer and Ingress – NGINX Community Blog
Venktesh Shivam Patel · 2026-03-24 · via NGINX Community Blog

Starting with NGINX Ingress Controller (NIC) v5.4.0, you can define CORS behavior once in a Policy resource and apply it consistently across both VirtualServer and Ingress traffic paths.

Across this blog, we’re focused on:

  • How CORS policy works in NGINX Ingress Controller.
  • Where to attach it in VirtualServer and Ingress.

Why Use a Policy For CORS?

Many teams start with per-resource tuning and quickly end up with drift. Using a dedicated Policy for CORS gives you:

  • A single source of truth for allowed origins, methods, and headers.
  • Reuse across services and namespaces.
  • Cleaner reviews because CORS behavior is isolated from route logic.

How CORS Policy Works in NGINX Ingress Controller

At a high level:

  1. Create a Policy resource with spec.cors
  2. Attach it where traffic is defined:
    • VirtualServer.spec.policies (or route/subroute policies)
    • Ingress via the nginx.org/policies annotation
  3. NGINX Ingress Controller renders the corresponding NGINX CORS behavior and returns headers for preflight and actual cross-origin requests.

Example CORS Policy:

apiVersion: k8s.nginx.org/v1
kind: Policy
metadata:
   name: cors-policy
spec:
   cors:
      allowOrigin:
      - https://app.example.com
      allowMethods:
      - GET
      - POST
      - PUT
      - OPTIONS
      allowHeaders:
      - Content-Type
      - Authorization
      - X-Requested-With
      exposeHeaders:
      - X-Total-Count
      - X-Page-Size
      allowCredentials: true
      maxAge: 86400

Example of VirtualServer referencing above CORS Policy:

apiVersion: k8s.nginx.org/v1
kind: VirtualServer
metadata:
   name: webapp
spec:
   host: webapp.example.com
   policies:
   - name: cors-policy
   upstreams:
   - name: webapp
      service: webapp-svc
      port: 80
   routes:
   - path: /test
      action:
         pass: webapp

Example of Ingress referencing above CORS Policy:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
   name: cafe-ingress
   annotations:
      nginx.org/policies: "cors-policy"
spec:
   ingressClassName: nginx
   rules:
   - host: cafe.example.com
      http:
         paths:
         - path: /tea
            pathType: Prefix
            backend:
               service:
                  name: tea-svc
                  port:
                     number: 80

Important behavior to remember:

  • CORS policy can be applied to both VirtualServer and Ingress.
  • For VirtualServer, route/subroute policies override same-type policy at spec level.
  • For credentialed CORS (allowCredentials: true), explicit origins are required.

Production Checks That Prevent Most Issues

Before rollout, validate these explicitly:

  • Non-allowed origins do not receive Access-Control-Allow-Origin.
  • allowCredentials: true is only used with explicit origins (not *).

Security Considerations

CORS is a browser enforcement boundary, so keep it tight:

  • Use explicit origin allow-lists for production.
  • Avoid broad method/header lists unless required.
  • Treat allowCredentials as high trust; use narrowly scoped origins.
  • Review CORS policy changes with the same care as auth-related config changes.

You can find complete working examples on github and more documentation in our docs:

NGINX Community Forum