Skip to content

HTTP headers in API

This tutorial is a part of Iconify API installation instructions for Node.js. This part of the tutorial explains how to change HTTP headers that API server sends to visitors.

By default, server sends the following HTTP headers:

  • Various CORS headers, allowing access from anywhere.
  • Cache headers to cache responses for 604800 seconds (7 days).

To change headers, edit httpHeaders variable in src/config/app.ts, then rebuild script:

If you prefer to use reverse proxy to send all extra headers, remove all unnecessary headers in the file mentioned above and change the configuration in reverse proxy.

Configuring CORS in Apache

If you are using Apache as reverse proxy, you can disable CORS in API and enable it in Apache.

To enable CORS in Apache, add this to Apache configuration:

httpd.confHeader always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, OPTIONS"
Header always set Access-Control-Allow-Headers "Origin, X-Requested-With, Content-Type, Accept, Accept-Encoding"
Header always set Access-Control-Max-Age "86400"
Header always set Cross-Origin-Resource-Policy "cross-origin"

Configuring CORS in NGINX

If you are using NGINX as a reverse proxy, you can disable CORS in API and enable it in NGINX.

To enable CORS in NGINX, add this to NGINX configuration under http -> server -> location:

nginx.confif ($request_method = 'POST') {
  add_header 'Access-Control-Allow-Origin' '*';
  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
  add_header 'Cross-Origin-Resource-Policy' 'cross-origin';
}
if ($request_method = 'GET') {
  add_header 'Access-Control-Allow-Origin' '*';
  add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
  add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
  add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
  add_header 'Cross-Origin-Resource-Policy' 'cross-origin';
}

Released under the Apache 2.0 License.