Caddy v2.1+ CORS whitelist

Caddyfile

(cors) {
        @cors_preflight{args.0} method OPTIONS
        @cors{args.0} header Origin {args.0}

        handle @cors_preflight{args.0} {
                header {
                        Access-Control-Allow-Origin "{args.0}"
                        Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
                        Access-Control-Allow-Headers *
                        Access-Control-Max-Age "3600"
                        defer
                }
                respond "" 204
        }

        handle @cors{args.0} {
                header {
                        Access-Control-Allow-Origin "{args.0}"
                        Access-Control-Expose-Headers *
                        defer
                }
        }
}
myawesomewebsite.com {
	root * /srv/public/
	file_server
	import cors https://member.myawesomewebsite.com
	import cors https://customer.myawesomewebsite.com
}

@ryanburnette This is finally making it onto the Webi cheatsheet: https://webinstall.dev/caddy

(though right now it's just in preview at https://next.webinstall.dev/caddy)

When you want to enable CORS for ANY domain, you have to use next configuration:

This is really a very rare case, but in my practice I often configure the caddy in such a way that it stands behind the traefik and is responsible for different domains.

(cors) {
	@cors_preflight method OPTIONS

	header {
		Access-Control-Allow-Origin "{header.origin}"
		Vary Origin
		Access-Control-Expose-Headers "Authorization"
		Access-Control-Allow-Credentials "true"
	}

	handle @cors_preflight {
		header {
			Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE"
			Access-Control-Max-Age "3600"
		}
		respond "" 204
	}
}

http:// {
	root * /srv/public/
	file_server

	import cors {header.origin}
}

Feel free to change exposed headers, methods etc :)