Adding custom headers to the GraphQL response (CORS)

We can add custom headers to the GraphQL response. This is particularly useful to set the Access-Control-Allow-Origin header to avoid issues with CORS.

Response headers are set via the Schema Configuration, allowing us to send different headers for different endpoints. For instance, each endpoint can send the Access-Control-Allow-Origin header with the specific domain it is intended to be used with, thus increasing the security of our APIs.

Defining the Response Headers permalink

The response headers can be configured in 2 places.

In the Schema Configuration applied to the endpoint under block "Response Headers", by selecting option "Use custom configuration" and then providing the desired headers (at one entry per line), with format {header name}: {header value}.

For instance, provide value:

Access-Control-Allow-Headers: content-type,content-length,accept

Otherwise, the value defined in the Settings page for Response Headers is used: