CORS
Granit.Cors configures a default CORS policy driven by appsettings.json. Wildcard
origins (*) are rejected at startup in non-development environments to enforce
ISO 27001 network access controls.
[DependsOn(typeof(GranitCorsModule))]public class AppModule : GranitModule { }{ "Cors": { "AllowedOrigins": ["https://app.example.com", "https://admin.example.com"], "AllowCredentials": false }}In Program.cs:
app.UseCors(); // Uses the default policy configured by the moduleValidation rules
Section titled “Validation rules”| Rule | Enforced at | Environment |
|---|---|---|
| At least one origin required | Startup | All |
Wildcard * forbidden | Startup | Non-development |
AllowCredentials + wildcard rejected | Startup | All (CORS specification) |
Configuration reference
Section titled “Configuration reference”| Property | Default | Description |
|---|---|---|
AllowedOrigins | [] | Allowed CORS origins (required, minimum 1) |
AllowCredentials | false | Include Access-Control-Allow-Credentials: true |
The default policy applies AllowAnyHeader() and AllowAnyMethod(), which is
standard for REST APIs. Origins are restricted to the configured list.
Public API summary
Section titled “Public API summary”| Category | Key types | Package |
|---|---|---|
| Module | GranitCorsModule | — |
| Options | GranitCorsOptions | Granit.Cors |
| Extensions | AddGranitCors() | Granit.Cors |
See also
Section titled “See also”- API & Http overview — All HTTP infrastructure packages
- Authentication module — JWT Bearer, OAuth2