lib/httpserver: add -http.disableCORS flag for disabling CORS (#8684)

### Changes Updated `lib/httpserver/httpserver.go` to include a flag that can toggle CORS (defaults to true to keep the current behavior). This PR relates to [this](https://github.com/VictoriaMetrics/VictoriaMetrics/issues/8680#issue-2983786438) feature request ### Checklist The following checks are **mandatory**: - [x] My change does not break backwards compatibility (i.e., preserves CORS being enabled unless specified otherwise via the `-http.cors.disabled=true` flag & value) --------- Co-authored-by: Jai Mehra <jai.mehra@nav-timing.safrangroup.com> Co-authored-by: hagen1778 <roman@victoriametrics.com> (cherry picked from commit 84163a56eb)
2026-05-28 14:07:06 +03:00 · 2025-05-05 14:06:22 -04:00
parent 99058d4923
commit 0420314077
11 changed files with 29 additions and 0 deletions
--- a/lib/httpserver/httpserver.go
+++ b/lib/httpserver/httpserver.go
@@ -64,6 +64,8 @@ var (
 	headerHSTS         = flag.String("http.header.hsts", "", "Value for 'Strict-Transport-Security' header, recommended: 'max-age=31536000; includeSubDomains'")
 	headerFrameOptions = flag.String("http.header.frameOptions", "", "Value for 'X-Frame-Options' header")
 	headerCSP          = flag.String("http.header.csp", "", `Value for 'Content-Security-Policy' header, recommended: "default-src 'self'"`)
+
+	disableCORS = flag.Bool("http.disableCORS", false, `Disable CORS for all origins (*)`)
 )

 var (
@@ -527,6 +529,10 @@ func CheckBasicAuth(w http.ResponseWriter, r *http.Request) bool {
 // EnableCORS enables https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
 // on the response.
 func EnableCORS(w http.ResponseWriter, _ *http.Request) {
+	if *disableCORS {
+		// see https://github.com/VictoriaMetrics/VictoriaMetrics/issues/8680
+		return
+	}
 	w.Header().Set("Access-Control-Allow-Origin", "*")
 }