waves_logo Docs
  • Node Owner Guide
    Node Owner Guide
  • Install Waves Node
    • Deploy Node in Docker
      Deploy Node in Docker
    • Install Node on Ubuntu
      Install Node on Ubuntu
    • Install Node on macOS
      Install Node on macOS
    • Install Node on Windows
      Install Node on Windows
    • Install from Source (Building SBT)
      Install from Source (Building SBT)
    Install Waves Node
  • Synchronize Waves Blockchain
    • Import/Export Blockchain
      Import/Export Blockchain
    • Download the Latest Blockchain
      Download the Latest Blockchain
    • Rollback Waves Node
      Rollback Waves Node
    Synchronize Waves Blockchain
  • Generate Blocks
    Generate Blocks
  • Upgrade Waves Node
    Upgrade Waves Node
  • Node Configuration
    Node Configuration
  • Logging Configuration
    Logging Configuration
  • Node Wallet
    Node Wallet
  • Features
    • Activation protocol
      Activation protocol
    Features
  • Custom Blockchain
    Custom Blockchain
  • Node REST API
    • API Key
      API Key
    • Working with Transactions
      Working with Transactions
    • Numeric Fields Format
      Numeric Fields Format
    • Pagination
      Pagination
    • CORS
      CORS
    • API Limitations of Pool of Public Nodes
      API Limitations of Pool of Public Nodes
    • Slow Requests
      Slow Requests
    • Response Codes and Errors
      Response Codes and Errors
    Node REST API
  • Extensions
    • gRPC Server
      gRPC Server
    • Blockchain Updates
      Blockchain Updates
    Extensions
  • Troubleshooting
    • Block Generation FAQ
      Block Generation FAQ
    Troubleshooting
  • Node Go
    Node Go
      • English
      • Русский
      On this page
      waves_logo Docs

          # How to Configure CORS: Support For Cross Domain Requests

          CORS (Cross-origin resource sharing) is a mechanism that allows a web application to make cross domain requests, that is, to access the HTTP resources of another domain. By default, browsers restrict cross domain requests for security, so web applications can only request resources from the domain from which they are loaded.

          As of node version 1.4.7, by default, the node passes in the HTTP header Access-control-allow-origin the domain specified in the request in the Origin header. Thus, web-applications from any domains are allowed to make requests to your node's REST API.

          If required, you can change the CORS settings. Edit the node configuration file and set the HTTP headers that the node should add to the REST API response:

          • access-control-allow-headers
          • access-control-allow-origin
          • access-control-allow-methods
          • access-control-allow-credentials

          Example settings:

          waves {
            rest-api {
              cors-headers {
                access-control-allow-headers = ["Authorization", "Content-Type", "X-Requested-With", "Timestamp", "Signature", "X-API-Key", "api_key"]
                access-control-allow-origin = "http://example.org"
                access-control-allow-methods = ["OPTIONS", "POST", "GET", "DELETE"]
                access-control-allow-credentials = true
              }
              ...
            }
            ...
          }
          

          Settings for earlier versions

          Complete the following steps:

          1. Disable CORS in node settings.
          2. Configure Web Server.
          3. Enable CORS and send credentials in REST API request.

          1. Disable CORS in Node Settings

          In node configuration file set waves.rest-api.cors = no.

          2. Configure Web Server

          Add a web server, for example, nginx, between the web app and your node. The web server should add the following HTTP headers to the REST API response:

          Access-control-allow-credentials: true
          Access-control-allow-headers: DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,signature,timestamp
          Access-control-allow-methods: GET, POST, OPTIONS, PUT, DELETE
          Access-control-allow-origin: https://example.com
          Access-control-expose-headers: Content-Length,Content-Range
          

          Please note: the Access-control-allow-origin header should contain a certain domain, but not *. If you want any websites to be able to use your node's REST API, configure your web server to pass the domain specified in the request in the Origin header.

          Example for configuring nginx:

          server {
              listen 80;
              server_name "";
           
              access_log /var/log/nginx/access.log;
              error_log /var/log/nginx/error.log error;
          ...
              location / {
                  proxy_pass http://wavesrpc ;
              ...
                  if ($request_method = 'OPTIONS') {
                    return 204;
                  }
          
                  set $ref "*";
                  if ($http_referer ~* ^(http?\:\/\/)(.*?)\/(.*)$) {
                    set $ref $1$2;
                  }
                  add_header 'Access-Control-Allow-Origin' $ref always;
                  add_header 'Access-Control-Allow-Credentials' 'true' always;
                  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE' always;
                  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,signature,timestamp' always;
                  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range' always;
              }
          ...
          }
          

          3. Enable CORS and Send Credentials in REST API Request

          Example:

          const response = await fetch(url, {
              mode: 'cors',
              credentials: 'include',
              ...
              body: JSON.stringify(data)
          });
          
          Pagination
          API Limitations of Pool of Public Nodes
          Pagination
          API Limitations of Pool of Public Nodes