The CORS middleware sets the correctDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/AndresGT/GoKit/llms.txt
Use this file to discover all available pages before exploring further.
Access-Control-Allow-* response headers and handles OPTIONS preflight requests so browsers can safely call your Gin API from a different origin. GoKit ships two ready-to-use presets — one permissive for local development and one secure for production — plus full manual configuration when you need precise control.
Import
Overview
On every request the middleware reads the incomingOrigin header and checks it against the configured allowlist. If the origin is allowed it writes the appropriate CORS headers. OPTIONS preflight requests are short-circuited and never forwarded to your handlers — allowed origins receive 204 No Content, blocked ones receive 403 Forbidden. A Vary: Origin header is always added when an explicit origin list is in use, ensuring CDN and browser caches don’t serve the wrong CORS headers to different callers.
Functions
| Function | Returns | Description |
|---|---|---|
DefaultCORSConfig() | CORSConfig | Returns the permissive development config (all origins, no credentials). |
ProductionCORSConfig(origins []string) | CORSConfig | Returns a secure config for the given origin list with credentials enabled. |
CORS(CORSConfig) | gin.HandlerFunc | Builds a CORS middleware from any CORSConfig. |
DefaultCORS() | gin.HandlerFunc | Shorthand for CORS(DefaultCORSConfig()). |
Development Preset
DefaultCORS() allows all origins, all common HTTP methods, all common request headers, and disables credentials. Ideal for local development and open public APIs.
middleware.CORS(middleware.DefaultCORSConfig()).
Production Preset
ProductionCORSConfig takes a list of allowed origins, enables credentials, and uses a conservative 1-hour preflight cache.
Manual Configuration
Usemiddleware.CORS(CORSConfig{...}) for complete control over every CORS header.
CORSConfig Fields
A list of origins the middleware will accept. Use
["*"] to allow all origins (only valid when AllowCredentials is false). Use *.domain.com notation for wildcard subdomain matching. Defaults to ["*"] if the slice is empty.HTTP methods to list in
Access-Control-Allow-Methods. Defaults to GET, POST, OPTIONS if empty.Request headers the browser is allowed to send, listed in
Access-Control-Allow-Headers. Defaults to Origin, Content-Type, Authorization if empty.Response headers that the browser JavaScript can read from the response, set in
Access-Control-Expose-Headers. Omitted when the slice is empty.When
true, sets Access-Control-Allow-Credentials: true, which permits the browser to include cookies and Authorization headers with cross-origin requests.How many seconds the browser may cache a preflight response (
Access-Control-Max-Age). 0 omits the header.Default Values
DefaultCORSConfig
| Field | Value |
|---|---|
AllowOrigins | ["*"] |
AllowMethods | GET, POST, PUT, PATCH, DELETE, OPTIONS |
AllowHeaders | Origin, Content-Type, Authorization, Accept, X-Requested-With |
ExposeHeaders | Content-Length |
AllowCredentials | false |
MaxAge | 43200 (12 hours) |
ProductionCORSConfig
| Field | Value |
|---|---|
AllowOrigins | provided origins |
AllowMethods | GET, POST, PUT, PATCH, DELETE, OPTIONS |
AllowHeaders | Origin, Content-Type, Authorization |
ExposeHeaders | Content-Length |
AllowCredentials | true |
MaxAge | 3600 (1 hour) |
Wildcard Subdomain Matching
Origin entries prefixed with*. match any subdomain of the given domain. This is useful when you have many subdomains that should all be allowed without listing each one explicitly.
*. prefix and checks whether the incoming Origin value ends with the remaining domain string.
Preflight Handling
The middleware intercepts allOPTIONS requests before they reach your route handlers:
- Allowed origin → responds immediately with
204 No Contentand all CORS headers set. - Blocked origin → responds immediately with
403 Forbidden. No CORS headers are set.
OPTIONS is needed in your router.