fix(cors): expose_headers cannot be set to **

apache · Apr 9, 2024 · aabaffc · aabaffc
1 parent 4df549c
commit aabaffc
Showing 1 changed file with 5 additions and 4 deletions.
diff --git a/apisix/plugins/cors.lua b/apisix/plugins/cors.lua
@@ -75,9 +75,8 @@ local schema = {
         },
         expose_headers = {
             description =
-                "you can use '*' to expose all header when no credentials," ..
-                "'**' to allow forcefully(it will bring some security risks, be carefully)," ..
-                "multiple header use ',' to split. default: *.",
+                 "you can use 'false' or leave it unset to remove response headers," ..
+                 "multiple header use ',' to split. default: *.",
             type = "string",
             default = "*"
         },
@@ -226,7 +225,9 @@ local function set_cors_headers(conf, ctx)
     core.response.set_header("Access-Control-Allow-Origin", ctx.cors_allow_origins)
     core.response.set_header("Access-Control-Allow-Methods", allow_methods)
     core.response.set_header("Access-Control-Max-Age", conf.max_age)
-    core.response.set_header("Access-Control-Expose-Headers", conf.expose_headers)
+    if conf.expose_headers ~= nil and conf.expose_headers ~= "" then
+        core.response.set_header("Access-Control-Expose-Headers", conf.expose_headers)
+    end
     if conf.allow_headers == "**" then
         core.response.set_header("Access-Control-Allow-Headers",
             core.request.header(ctx, "Access-Control-Request-Headers"))