Portal B20: apply editorial revisions to Configure CORS how-to

sharadregoti · sharadregoti · commit 08df9a58f0b2 · 2026-05-01T14:28:55.000+05:30
- Remove Tyk Classic API definition section; replace with a Note
  callout linking to the Classic CORS reference
- Promote Tyk OAS as the sole primary path for Gateway CORS config
- Convert bold-prefixed pseudo-steps to proper numbered list items
  with continuation content indented under each step
- Replace env var column in optional settings table with config keys
  (CORS.MaxAge, CORS.AllowCredentials) linked to their exact anchors
  in the configuration reference; remove PORTAL_CORS_DEBUG (not in
  config reference); correct default allowed methods to GET and POST
diff --git a/portal/how-to-guides/configure-cors.mdx b/portal/how-to-guides/configure-cors.mdx
@@ -23,89 +23,88 @@ Portal application CORS controls which external origins may call the Portal's ow
 `PORTAL_CORS_ENABLE` defaults to `false`. All cross-origin requests to the Portal are rejected until you set this to `true`.
 </Warning>
 
-**1. Enable CORS**
-
-Set `PORTAL_CORS_ENABLE=true` on the Portal process.
-
-<Tabs>
-  <Tab title="Environment variable">
-    ```ini
-    PORTAL_CORS_ENABLE=true
-    ```
-  </Tab>
-  <Tab title="Kubernetes (Helm)">
-    ```yaml
-    extraEnvs:
-      - name: PORTAL_CORS_ENABLE
-        value: "true"
-    ```
-  </Tab>
-</Tabs>
-
-**2. Set allowed origins**
-
-Set `PORTAL_CORS_ALLOWED_ORIGINS` to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported.
-
-{/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */}
-
-<Tabs>
-  <Tab title="Environment variable">
-    ```ini
-    PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://developer.example.com
-    ```
-  </Tab>
-  <Tab title="Kubernetes (Helm)">
-    ```yaml
-    extraEnvs:
-      - name: PORTAL_CORS_ALLOWED_ORIGINS
-        value: "https://admin.example.com,https://developer.example.com"
-    ```
-  </Tab>
-</Tabs>
-
-<Warning>
-Do not set `PORTAL_CORS_ALLOWED_ORIGINS` to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead.
-</Warning>
-
-**3. Set allowed headers and methods**
-
-Set the HTTP headers and methods that cross-origin requests to the Portal may use. No headers are allowed by default. The default allowed methods are `GET`, `POST`, and `HEAD`.
-
-<Tabs>
-  <Tab title="Environment variable">
-    ```ini
-    PORTAL_CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-Requested-With
-    PORTAL_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
-    ```
-  </Tab>
-  <Tab title="Kubernetes (Helm)">
-    ```yaml
-    extraEnvs:
-      - name: PORTAL_CORS_ALLOWED_HEADERS
-        value: "Authorization,Content-Type,X-Requested-With"
-      - name: PORTAL_CORS_ALLOWED_METHODS
-        value: "GET,POST,PUT,DELETE,OPTIONS"
-    ```
-  </Tab>
-</Tabs>
-
-**4. (Optional) Configure additional CORS settings**
-
-| Variable | Type | Default | Description |
-|---|---|---|---|
-| `PORTAL_CORS_MAX_AGE` | `int` | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. |
-| `PORTAL_CORS_ALLOW_CREDENTIALS` | `bool` | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. |
-| `PORTAL_CORS_DEBUG` | `bool` | `false` | Logs CORS decisions to the Portal output. Enable temporarily when diagnosing CORS issues. |
-
-**5. Restart the Portal**
-
-Restart the Portal process or pod for the environment variable changes to take effect.
-
-**6. Verify**
-
-Open your browser developer tools and make a cross-origin request to the Portal from an allowed origin. The response headers should include `Access-Control-Allow-Origin` and the request should succeed.
-
-{/* TODO: Screenshot — Portal response headers in browser DevTools Network tab showing Access-Control-Allow-Origin header present */}
+1. **Enable CORS**
+
+   Set `PORTAL_CORS_ENABLE=true` on the Portal process.
+
+   <Tabs>
+     <Tab title="Environment variable">
+       ```ini
+       PORTAL_CORS_ENABLE=true
+       ```
+     </Tab>
+     <Tab title="Kubernetes (Helm)">
+       ```yaml
+       extraEnvs:
+         - name: PORTAL_CORS_ENABLE
+           value: "true"
+       ```
+     </Tab>
+   </Tabs>
+
+2. **Set allowed origins**
+
+   Set `PORTAL_CORS_ALLOWED_ORIGINS` to the origins permitted to make cross-origin requests to the Portal. Use the exact scheme and host of each origin, separated by commas. Wildcards are supported.
+
+   {/* TODO: Verify the default behavior when PORTAL_CORS_ALLOWED_ORIGINS is unset. Code analysis (rs/cors library) indicates an empty slice allows all origins. The configuration reference states no origins are allowed by default. Confirm with the Portal team before documenting a specific default. */}
+
+   <Tabs>
+     <Tab title="Environment variable">
+       ```ini
+       PORTAL_CORS_ALLOWED_ORIGINS=https://admin.example.com,https://developer.example.com
+       ```
+     </Tab>
+     <Tab title="Kubernetes (Helm)">
+       ```yaml
+       extraEnvs:
+         - name: PORTAL_CORS_ALLOWED_ORIGINS
+           value: "https://admin.example.com,https://developer.example.com"
+       ```
+     </Tab>
+   </Tabs>
+
+   <Warning>
+   Do not set `PORTAL_CORS_ALLOWED_ORIGINS` to `*` when `PORTAL_CORS_ALLOW_CREDENTIALS=true`. The CORS specification does not allow credentialed requests from wildcard origins. Specify each origin explicitly instead.
+   </Warning>
+
+3. **Set allowed headers and methods**
+
+   Set the HTTP headers and methods that cross-origin requests to the Portal may use. No headers are allowed by default. The default allowed methods are `GET` and `POST`.
+
+   <Tabs>
+     <Tab title="Environment variable">
+       ```ini
+       PORTAL_CORS_ALLOWED_HEADERS=Authorization,Content-Type,X-Requested-With
+       PORTAL_CORS_ALLOWED_METHODS=GET,POST,PUT,DELETE,OPTIONS
+       ```
+     </Tab>
+     <Tab title="Kubernetes (Helm)">
+       ```yaml
+       extraEnvs:
+         - name: PORTAL_CORS_ALLOWED_HEADERS
+           value: "Authorization,Content-Type,X-Requested-With"
+         - name: PORTAL_CORS_ALLOWED_METHODS
+           value: "GET,POST,PUT,DELETE,OPTIONS"
+       ```
+     </Tab>
+   </Tabs>
+
+4. **(Optional) Configure additional CORS settings**
+
+   | Config key | Type | Default | Description |
+   |---|---|---|---|
+   | [`CORS.MaxAge`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-max-age) | `int` | `0` | How long, in seconds, browsers may cache the preflight response. A positive value reduces preflight round trips. |
+   | [`CORS.AllowCredentials`](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials) | `bool` | `false` | Whether the Portal includes credentials (cookies, HTTP authentication) in CORS responses. |
+
+5. **Restart the Portal**
+
+   Restart the Portal process or pod for the environment variable changes to take effect.
+
+6. **Verify**
+
+   Open your browser developer tools and make a cross-origin request to the Portal from an allowed origin. The response headers should include `Access-Control-Allow-Origin` and the request should succeed.
+
+   {/* TODO: Screenshot — Portal response headers in browser DevTools Network tab showing Access-Control-Allow-Origin header present */}
 
 ---
 
@@ -117,74 +116,46 @@ When a consumer tests an API using the API Playground on the Live Portal, the br
 **Tyk Gateway v5.8.6–v5.8.13:** A middleware ordering issue in these versions causes the allow list to run before CORS processing, returning `403 Forbidden` for OPTIONS preflight requests. Upgrade to Gateway v5.8.14 or later to resolve this. See [Troubleshoot CORS Issues](/portal/troubleshooting/cors-issues) for diagnosis steps.
 </Warning>
 
-### Tyk Classic API definition
-
-**1. Open the API in Tyk Dashboard**
-
-In Tyk Dashboard, go to **APIs** and open the API that belongs to your Portal API product.
-
-**2. Enable CORS**
-
-Go to the **Advanced Options** tab and expand the **CORS** section. Enable the **CORS** toggle.
-
-{/* TODO: Screenshot — Tyk Dashboard API designer, Advanced Options tab, CORS section enabled, showing the fields described in step 3 */}
-
-**3. Set allowed origins, methods, and headers**
-
-- **Allowed Origins**: Add the full URL of your Live Portal, for example `https://portal.example.com`.
-- **Allowed Methods**: Add all HTTP methods the API supports. Include at minimum `GET`, `POST`, and `OPTIONS`.
-- **Allowed Headers**: Add `Origin`, `Content-Type`, and the authentication header your API uses, for example `Authorization`.
-
-**4. Configure options passthrough**
-
-Leave **Options Passthrough** disabled (the default). When disabled, the Gateway intercepts `OPTIONS` preflight requests, adds CORS headers, and returns `200 OK` without forwarding to the upstream or enforcing authentication. Enable Options Passthrough only if your upstream service handles CORS natively.
-
-**5. Save the API**
-
-Click **Update** to save the API definition.
-
-**6. Verify**
-
-Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console.
-
-### Tyk OAS API definition
+1. **Locate the CORS block**
 
-**1. Locate the CORS block**
+   In a Tyk OAS API definition, CORS configuration sits under `x-tyk-api-gateway.middleware.global.cors`.
 
-In a Tyk OAS API definition, CORS configuration sits under `x-tyk-api-gateway.middleware.global.cors`.
+2. **Add the CORS configuration**
 
-**2. Add the CORS configuration**
+   ```yaml expandable
+   x-tyk-api-gateway:
+     middleware:
+       global:
+         cors:
+           enabled: true
+           allowedOrigins:
+             - "https://portal.example.com"
+           allowedMethods:
+             - GET
+             - POST
+             - PUT
+             - DELETE
+             - OPTIONS
+           allowedHeaders:
+             - Origin
+             - Content-Type
+             - Authorization
+           optionsPassthrough: false
+   ```
 
-```yaml expandable
-x-tyk-api-gateway:
-  middleware:
-    global:
-      cors:
-        enabled: true
-        allowedOrigins:
-          - "https://portal.example.com"
-        allowedMethods:
-          - GET
-          - POST
-          - PUT
-          - DELETE
-          - OPTIONS
-        allowedHeaders:
-          - Origin
-          - Content-Type
-          - Authorization
-        optionsPassthrough: false
-```
+   Set `optionsPassthrough` to `false` (the default). When `false`, the Gateway intercepts OPTIONS preflight requests, responds with CORS headers, and does not forward the request to the upstream.
 
-Set `optionsPassthrough` to `false` (the default). When `false`, the Gateway intercepts OPTIONS preflight requests, responds with CORS headers, and does not forward the request to the upstream.
+3. **Import or update the API**
 
-**3. Import or update the API**
+   Import the updated definition in Tyk Dashboard or update the API via the Tyk Dashboard API.
 
-Import the updated definition in Tyk Dashboard or update the API via the Tyk Dashboard API.
+4. **Verify**
 
-**4. Verify**
+   Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console.
 
-Open the API Playground on your Live Portal and send a test request. The request should complete without CORS errors in the browser console.
+<Note>
+If you are using a **Tyk Classic API definition**, configure CORS in Tyk Dashboard under **APIs** > **Advanced Options** > **CORS**. See the [Classic API CORS reference](/api-management/gateway-config-tyk-classic#cross-origin-resource-sharing-cors) for details.
+</Note>
 
 ---
 
