relay_server/middlewares/
cors.rs

1use std::time::Duration;
2
3use axum::http::{HeaderName, Method};
4use tower_http::cors::{Any, CorsLayer};
5
6/// Creates a preconfigured CORS middleware builder for store requests.
7///
8/// To configure CORS, register endpoints using `resource()` and finalize by calling `register()`,
9/// which returns an App. This configures POST as allowed method, allows default sentry headers, and
10/// exposes the return headers.
11pub fn cors() -> CorsLayer {
12    CorsLayer::new()
13        // This should also contain GET for the /store/ endpoint. Axum emits a correct "allow"
14        // header for this. In practice, this is not an issue, so we can be more restrictive.
15        .allow_methods(Method::POST)
16        .allow_headers([
17            HeaderName::from_static("x-sentry-auth"),
18            HeaderName::from_static("x-requested-with"),
19            HeaderName::from_static("x-forwarded-for"),
20            HeaderName::from_static("origin"),
21            HeaderName::from_static("referer"),
22            HeaderName::from_static("accept"),
23            HeaderName::from_static("content-type"),
24            HeaderName::from_static("authentication"),
25            HeaderName::from_static("authorization"),
26            HeaderName::from_static("content-encoding"),
27            HeaderName::from_static("transfer-encoding"),
28        ])
29        .allow_origin(Any)
30        .expose_headers([
31            HeaderName::from_static("x-sentry-error"),
32            HeaderName::from_static("x-sentry-rate-limits"),
33            HeaderName::from_static("retry-after"),
34        ])
35        .max_age(Duration::from_secs(3600))
36}