Allow configuring Access-Control-Allow-Origin header #535
Description
Issue submitter TODO list
- I've searched for an already existing issues here
- I'm running a supported version of the application which is listed here and the feature is not present there
Is your proposal related to a problem?
No response
Describe the feature you're interested in
I'd like to be define a custom Access-Control-Allow-Origin header value, in order to restrict other websites from accessing my deployment of Kafka-UI APIs.
The header value is currently hardcoded to * in CorsGlobalConfiguration.java.
It'll be nice if this was configurable via spring properties.
Describe alternatives you've considered
I considered mutating the header at the load balancer level. Unfortunately, I'm using an AWS ALB load balancer and I don't think this feature is supported. At least, not via the Kubernetes ALB ingress controller.
Kafka-UI with oauth2 does prevent cross-origin requests because;
- Kafka-UI redirects unauthenticated requests to the oauth2 auth provider
AND - Browsers do not send authentication details cross-origin because Access-Control-Allow-Credentials header is not set
But as a defense-in-depth approach, it would still be good to control the value of Access-Control-Allow-Origin header.
Version you're running
Additional context
No response
Metadata
Metadata
Assignees
Labels
Projects
Status