Document Actuator's CORS support

Closes gh-3010

Document Actuator's CORS support
Closes gh-3010
fdf75d3e · Stephane Nicoll · 17f61c1d · fdf75d3e · fdf75d3e
Commit fdf75d3e authored Oct 27, 2015 by Stephane Nicoll
Showing with 21 additions and 1 deletion

appendix-application-properties.adoc ...cs/src/main/asciidoc/appendix-application-properties.adoc +1 -1

production-ready-features.adoc ...oot-docs/src/main/asciidoc/production-ready-features.adoc +20 -0

No files found.
--- a/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
+++ b/spring-boot-docs/src/main/asciidoc/appendix-application-properties.adoc
@@ -767,7 +767,7 @@ content into your application; rather pick only the properties that you need.
 	endpoints.liquibase.id=liquibase
 	endpoints.liquibase.sensitive=false

-	# ENDPOINTS CORS CONFIGURATION ({sc-spring-boot-actuator}/autoconfigure/MvcEndpointCorsProperties.{sc-ext}[MvcEndpointCorsProperties])
+	# ENDPOINTS CORS CONFIGURATION ({sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties])
 	endpoints.cors.allow-credentials= # set whether user credentials are support. When not set, credentials are not supported.
 	endpoints.cors.allowed-origins= # comma-separated list of origins to allow. * allows all origins. When not set, CORS support is disabled.
 	endpoints.cors.allowed-methods= # comma-separated list of methods to allow. * allows all methods. When not set, defaults to GET.

--- a/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
+++ b/spring-boot-docs/src/main/asciidoc/production-ready-features.adoc
@@ -186,6 +186,26 @@ If the https://github.com/mikekelly/hal-browser[HAL Browser] is on the classpath
 via its webjar (`org.webjars:hal-browser`), or via the `spring-data-rest-hal-browser` then
 an HTML "`discovery page`", in the form of the HAL Browser, is also provided.

+[[production-ready-endpoint-cors]]
+=== CORS support
+
+http://en.wikipedia.org/wiki/Cross-origin_resource_sharing[Cross-origin resource sharing]
+(CORS) is a http://www.w3.org/TR/cors/[W3C specification] that allows you to specify in a
+flexible way what kind of cross domain requests are authorized. Actuator's MVC endpoints
+can be configured to support such scenario.
+
+CORS support is disabled by default and is only enabled once the
+`endpoints.cors.allowed-origins` property has been set. The configuration below permits
+`GET` and `POST` calls from the `example.com` domain:
+
+[source,properties,indent=0]
+----
+	endpoints.cors.allowed-origins=http://example.com
+	endpoints.cors.allowed-methods=GET,POST
+----
+
+TIP: Check {sc-spring-boot-actuator}/autoconfigure/EndpointCorsProperties.{sc-ext}[EndpointCorsProperties]
+for a complete list of options.


 [[production-ready-customizing-endpoints-programmatically]]