From fcc02ac53a74bbfc168a62b1e5d18903554f652f Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Fri, 8 Aug 2025 09:39:29 -0700 Subject: [PATCH 1/2] docs(tips): add details about CORS configuration --- docs/user-guide/tips.md | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/docs/user-guide/tips.md b/docs/user-guide/tips.md index 3727f6ca..0d75d155 100644 --- a/docs/user-guide/tips.md +++ b/docs/user-guide/tips.md @@ -1,5 +1,14 @@ # Tips +## CORS + +The STAC Auth Proxy does not make any alterations to the [CORS Response headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#the_http_response_headers) returned by the upstream STAC API. As such, all CORS configuration should be set within the upstream API. However, the upstream API's CORS settings may need to be altered, given that the STAC Auth Proxy brings authentication into the situation. Namely, CORS must support credentials. This typically looks like: + +* [`Access-Control-Allow-Credentials`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials) is set to `true` +* [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin) is _not_ be set to `*`[^CORSNotSupportingCredentials] + +[^CORSNotSupportingCredentials]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSNotSupportingCredentials + ## Root Paths The proxy can be optionally served from a non-root path (e.g., `/api/v1`). Additionally, the proxy can optionally proxy requests to an upstream API served from a non-root path (e.g., `/stac`). To handle this, the proxy will: From 35bf9090469cf820a62904f67624f2d9524d0024 Mon Sep 17 00:00:00 2001 From: Anthony Lukach Date: Fri, 8 Aug 2025 09:42:40 -0700 Subject: [PATCH 2/2] Update tips.md --- docs/user-guide/tips.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/docs/user-guide/tips.md b/docs/user-guide/tips.md index 0d75d155..00200c34 100644 --- a/docs/user-guide/tips.md +++ b/docs/user-guide/tips.md @@ -2,10 +2,12 @@ ## CORS -The STAC Auth Proxy does not make any alterations to the [CORS Response headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#the_http_response_headers) returned by the upstream STAC API. As such, all CORS configuration should be set within the upstream API. However, the upstream API's CORS settings may need to be altered, given that the STAC Auth Proxy brings authentication into the situation. Namely, CORS must support credentials. This typically looks like: +The STAC Auth Proxy does not modify the [CORS response headers](https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS#the_http_response_headers) from the upstream STAC API. All CORS configuration must be handled by the upstream API. -* [`Access-Control-Allow-Credentials`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials) is set to `true` -* [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin) is _not_ be set to `*`[^CORSNotSupportingCredentials] +Because the STAC Auth Proxy introduces authentication, the upstream API’s CORS settings may need adjustment to support credentials. In most cases, this means: + +* [`Access-Control-Allow-Credentials`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Credentials) must be `true` +* [`Access-Control-Allow-Origin`](https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Access-Control-Allow-Origin) must _not_ be `*`[^CORSNotSupportingCredentials] [^CORSNotSupportingCredentials]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Guides/CORS/Errors/CORSNotSupportingCredentials