CORS

CORS (Cross-Origin Resource Sharing) lets browser applications access files in your bucket from a different domain. Add CORS rules to specify which origins, HTTP methods, and headers are permitted.

Before you begin

About CORS

  • CORS allows browser applications to access your bucket files.
  • Add your domain to allowed origins (e.g., https://myapp.com).
  • Use wildcards for subdomains (e.g., *.myapp.com).

Changes may take up to 5 minutes to propagate. CORS configuration is cached. Wait at least 5 minutes after saving before testing.

1

1. Go to CORS settings

Open a bucket, click the Settings tab, then click CORS in the settings sub-navigation.

2

2. Add a rule

Click + Add Rule. If no rules exist yet, click + Create Your First Rule.

3

3. Configure the rule

Fill in the ADD CORS RULE panel — subtitle: “Configure cross-origin resource sharing for browser access.”

Allowed Origins

Helper: “Specify which domains can access this bucket from a browser:”

Enter an origin in the input (placeholder: https://myapp.com or *.myapp.com) and click + Add Origin to add more. Use * to allow all origins.

Allowed Methods

Helper: “Select which HTTP methods are allowed:“

MethodDefault
GET✅ Enabled
PUT
POST
DELETE
HEAD

Allowed Headers

Helper: “Comma-separated list of headers browsers can send:” — defaults to * (allow all headers).

4

4. Save the rule

Click Save Rule to apply. Click Cancel to discard.

Verify

Your new rule appears in the CORS Policy list. Allow up to 5 minutes for the configuration to propagate before testing from a browser.

Troubleshooting

CORS rule not taking effect CORS configuration is cached. Wait at least 5 minutes after saving before testing.

Browser still blocked after adding origin Ensure the origin exactly matches the request origin — including the protocol (https://) and no trailing slash. Use *.myapp.com for wildcard subdomain matching.

All requests blocked Ensure the HTTP method used by your browser app (e.g. PUT for uploads) is checked in Allowed Methods.

Allowed Headers errors If your app sends custom headers, add them explicitly or use * to allow all headers.