Adoption

Agent Skills are supported by leading AI development tools.

VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory VS Code Gemini CLI GitHub Goose Amp Cursor Claude Code Letta OpenCode Claude OpenAI Codex Factory

moonming/a6-plugin-cors

Name: a6-plugin-cors
Author: moonming

skills/a6-plugin-cors/SKILL.md

npx skillsauth add moonming/a6 a6-plugin-cors

Clean

TrivyContainer and dependency vulnerability scanner

Clean

SemgrepStatic code analysis for vulnerabilities

Clean

mcp-scan (Snyk)Model Context Protocol security validation

Skipped

Snyk (dep)Open source security scanning

Skipped

Socket.devSupply chain security analysis

Skipped

VirusTotalMulti-engine malware detection

Skipped

CrowdStrikeAdvanced threat intelligence

Skipped

OSV-ScannerOpen Source Vulnerability database check

Skipped

OWASP Dep-Check

a6-plugin-cors

Overview

The cors plugin manages Cross-Origin Resource Sharing headers on APISIX routes. It automatically handles preflight OPTIONS requests, sets Access-Control-* response headers, and supports wildcard, exact, and regex-based origin matching.

When to Use

Enable browser-based JavaScript access to your API from different origins
Configure credentialed cross-origin requests (cookies, auth headers)
Allow specific subdomains via regex patterns
Control preflight cache duration for performance

Plugin Configuration Reference (Route/Service)

| Field | Type | Required | Default | Description | |-------|------|----------|---------|-------------| | allow_origins | string | No | "*" | Allowed origins. Comma-separated scheme://host:port. Use * for all (no credentials). Use ** to force-allow all (security risk). | | allow_methods | string | No | "*" | Allowed HTTP methods. Comma-separated. Use * or ** same as origins. | | allow_headers | string | No | "*" | Allowed request headers. Comma-separated. When **, echoes the request's Access-Control-Request-Headers. | | expose_headers | string | No | — | Response headers exposed to browser. Comma-separated. Not set by default. | | max_age | integer | No | 5 | Preflight cache duration in seconds. -1 disables caching. | | allow_credential | boolean | No | false | Allow credentials (cookies, auth headers). If true, cannot use * for other fields. | | allow_origins_by_regex | array[string] | No | — | Regex patterns to match origins dynamically | | allow_origins_by_metadata | array[string] | No | — | Reference origins from plugin metadata | | timing_allow_origins | string | No | — | Origins for Resource Timing API access | | timing_allow_origins_by_regex | array[string] | No | — | Regex patterns for timing origins |

Wildcard Rules

| Value | Meaning | With allow_credential: true? | |-------|---------|-------------------------------| | * | Allow all | ❌ Not allowed (CORS spec) | | ** | Force allow all | ✅ Allowed but dangerous (CSRF risk) | | Specific | Exact match | ✅ Allowed |

Step-by-Step: Enable CORS on a Route

1. Basic CORS (public API, no credentials)

a6 route create -f - <<'EOF'
{
  "id": "public-api",
  "uri": "/api/*",
  "plugins": {
    "cors": {}
  },
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "backend:8080": 1
    }
  }
}
EOF

Response headers on all requests:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: *
Access-Control-Max-Age: 5

2. CORS with credentials (specific origins)

a6 route create -f - <<'EOF'
{
  "id": "credentialed-api",
  "uri": "/api/*",
  "plugins": {
    "cors": {
      "allow_origins": "https://app.example.com,https://admin.example.com",
      "allow_methods": "GET,POST,PUT,DELETE,OPTIONS",
      "allow_headers": "Content-Type,Authorization,X-Custom-Header",
      "expose_headers": "X-Request-Id,X-Response-Time",
      "max_age": 3600,
      "allow_credential": true
    }
  },
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "backend:8080": 1
    }
  }
}
EOF

Common Patterns

Regex-based origin matching (all subdomains)

{
  "plugins": {
    "cors": {
      "allow_origins_by_regex": [
        ".*\\.example\\.com$"
      ],
      "allow_methods": "GET,POST,PUT,DELETE",
      "allow_credential": true,
      "max_age": 86400
    }
  }
}

Matches: https://app.example.com, https://staging.example.com Does not match: https://example.com, https://evil.com

Multiple domain groups with regex

{
  "plugins": {
    "cors": {
      "allow_origins_by_regex": [
        ".*\\.example\\.com$",
        ".*\\.partner\\.net$",
        "^https://localhost:[0-9]+$"
      ],
      "allow_methods": "GET,POST",
      "allow_credential": true
    }
  }
}

Long preflight cache

{
  "plugins": {
    "cors": {
      "allow_origins": "https://app.example.com",
      "max_age": 86400,
      "allow_credential": true
    }
  }
}

Browser caches the preflight response for 24 hours, reducing OPTIONS requests.

Expose custom response headers

{
  "plugins": {
    "cors": {
      "allow_origins": "*",
      "expose_headers": "X-Request-Id,X-RateLimit-Limit,X-RateLimit-Remaining"
    }
  }
}

Without expose_headers, browsers only expose CORS-safelisted headers.

Response Headers Set by Plugin

| Header | When Set | |--------|----------| | Access-Control-Allow-Origin | Always (matching origin or *) | | Access-Control-Allow-Methods | Always | | Access-Control-Allow-Headers | Always | | Access-Control-Expose-Headers | Only if expose_headers configured | | Access-Control-Max-Age | Always (preflight responses) | | Access-Control-Allow-Credentials | Only if allow_credential: true | | Timing-Allow-Origin | Only if timing_allow_origins configured |

Troubleshooting

| Symptom | Cause | Fix | |---------|-------|-----| | Browser CORS error despite plugin | allow_credential: true with allow_origins: "*" | Use specific origins or ** (risky) | | Preflight fails but GET works | allow_methods missing the method | Add method to allow_methods | | Custom header blocked | Header not in allow_headers | Add header to allow_headers | | Can't read response header in JS | Header not in expose_headers | Add header to expose_headers | | Regex not matching | Missing anchors or escaping | Use $ anchor and escape dots: \\. | | Cookies not sent cross-origin | allow_credential is false | Set allow_credential: true with specific origins | | Origin format rejected | Missing scheme | Use https://example.com not example.com |

Config Sync Example

version: "1"
routes:
  - id: cors-api
    uri: /api/*
    plugins:
      cors:
        allow_origins: "https://app.example.com"
        allow_methods: "GET,POST,PUT,DELETE,OPTIONS"
        allow_headers: "Content-Type,Authorization"
        expose_headers: "X-Request-Id"
        max_age: 3600
        allow_credential: true
    upstream_id: api-upstream
upstreams:
  - id: api-upstream
    type: roundrobin
    nodes:
      "backend:8080": 1

moonming/a6-plugin-cors

skills/a6-plugin-cors/SKILL.md

Skill for configuring the Apache APISIX cors plugin via the a6 CLI. Covers Cross-Origin Resource Sharing setup on routes, allow_origins, allow_methods, allow_headers, credentials handling, regex origin matching, preflight caching, and common operational patterns.

tools

Updated Apr 21, 2026

$ install --global

skillsauth

npx skillsauth add moonming/a6 a6-plugin-cors

Install this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.

Security Scan Results

3 of 9 scanners reported clean

Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.

Scanners Passed

Scanners in report

Clean

TrivyContainer and dependency vulnerability scanner

95%

Clean

SemgrepStatic code analysis for vulnerabilities

95%

Clean

mcp-scan (Snyk)Model Context Protocol security validation

95%

Skipped

Snyk (dep)Open source security scanning

50%

Skipped

Socket.devSupply chain security analysis

50%

Skipped

VirusTotalMulti-engine malware detection

50%

Skipped

CrowdStrikeAdvanced threat intelligence

50%

Skipped

OSV-ScannerOpen Source Vulnerability database check

50%

Skipped

OWASP Dep-Check

50%

Last scanned: Apr 30, 2026, 12:33 PM3.9s1 file scanned

SKILL.md

name:: a6-plugin-cors
description:: >-
version:: 1.0.0
author:: Apache APISIX Contributors
license:: Apache-2.0
category:: plugin
apisix_version:: >=3.0.0
plugin_name:: cors

a6-plugin-cors

Overview

When to Use

Enable browser-based JavaScript access to your API from different origins
Configure credentialed cross-origin requests (cookies, auth headers)
Allow specific subdomains via regex patterns
Control preflight cache duration for performance

Plugin Configuration Reference (Route/Service)

Wildcard Rules

Step-by-Step: Enable CORS on a Route

1. Basic CORS (public API, no credentials)

a6 route create -f - <<'EOF'
{
  "id": "public-api",
  "uri": "/api/*",
  "plugins": {
    "cors": {}
  },
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "backend:8080": 1
    }
  }
}
EOF

Response headers on all requests:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: *
Access-Control-Allow-Headers: *
Access-Control-Max-Age: 5

2. CORS with credentials (specific origins)

a6 route create -f - <<'EOF'
{
  "id": "credentialed-api",
  "uri": "/api/*",
  "plugins": {
    "cors": {
      "allow_origins": "https://app.example.com,https://admin.example.com",
      "allow_methods": "GET,POST,PUT,DELETE,OPTIONS",
      "allow_headers": "Content-Type,Authorization,X-Custom-Header",
      "expose_headers": "X-Request-Id,X-Response-Time",
      "max_age": 3600,
      "allow_credential": true
    }
  },
  "upstream": {
    "type": "roundrobin",
    "nodes": {
      "backend:8080": 1
    }
  }
}
EOF

Common Patterns

Regex-based origin matching (all subdomains)

{
  "plugins": {
    "cors": {
      "allow_origins_by_regex": [
        ".*\\.example\\.com$"
      ],
      "allow_methods": "GET,POST,PUT,DELETE",
      "allow_credential": true,
      "max_age": 86400
    }
  }
}

Matches: https://app.example.com, https://staging.example.com Does not match: https://example.com, https://evil.com

Multiple domain groups with regex

{
  "plugins": {
    "cors": {
      "allow_origins_by_regex": [
        ".*\\.example\\.com$",
        ".*\\.partner\\.net$",
        "^https://localhost:[0-9]+$"
      ],
      "allow_methods": "GET,POST",
      "allow_credential": true
    }
  }
}

Long preflight cache

{
  "plugins": {
    "cors": {
      "allow_origins": "https://app.example.com",
      "max_age": 86400,
      "allow_credential": true
    }
  }
}

Browser caches the preflight response for 24 hours, reducing OPTIONS requests.

Expose custom response headers

{
  "plugins": {
    "cors": {
      "allow_origins": "*",
      "expose_headers": "X-Request-Id,X-RateLimit-Limit,X-RateLimit-Remaining"
    }
  }
}

Without expose_headers, browsers only expose CORS-safelisted headers.

Response Headers Set by Plugin

Troubleshooting

Config Sync Example

version: "1"
routes:
  - id: cors-api
    uri: /api/*
    plugins:
      cors:
        allow_origins: "https://app.example.com"
        allow_methods: "GET,POST,PUT,DELETE,OPTIONS"
        allow_headers: "Content-Type,Authorization"
        expose_headers: "X-Request-Id"
        max_age: 3600
        allow_credential: true
    upstream_id: api-upstream
upstreams:
  - id: api-upstream
    type: roundrobin
    nodes:
      "backend:8080": 1

Related Skills

moonming/a6-shared

tools

VerifiedTrustedCommunity

Core skill for working with the a6 CLI — the Apache APISIX command-line tool. Provides project conventions, command patterns, architecture overview, and development workflow. Load this skill when working on a6 source code, adding new commands, writing tests, or modifying any a6 component.

SKILL.mdUpdated Apr 21, 2026

moonming/a6-recipe-multi-tenant

tools

VerifiedTrustedCommunity

Recipe skill for implementing multi-tenant API gateway patterns using the a6 CLI. Covers tenant isolation via Consumer Groups, host/path/header-based routing, per-tenant rate limiting, context forwarding with proxy-rewrite, and declarative config sync workflows for multi-tenant management.

SKILL.mdUpdated Apr 21, 2026

moonming/a6-recipe-multi-tenant

moonming/a6-recipe-mtls

tools

VerifiedTrustedCommunity

Recipe skill for configuring mutual TLS (mTLS) using the a6 CLI. Covers SSL certificate management, upstream mTLS to backend services, client certificate verification, and end-to-end mTLS setup from client through APISIX to upstream.

SKILL.mdUpdated Apr 21, 2026

moonming/a6-recipe-mtls

moonming/a6-recipe-health-check

tools

VerifiedTrustedCommunity

Recipe skill for configuring upstream health checks using the a6 CLI. Covers active health checks (HTTP probing), passive health checks (response analysis), combining both, configuring healthy/unhealthy thresholds, and monitoring upstream node status.

SKILL.mdUpdated Apr 21, 2026

moonming/a6-recipe-health-check

Download

For Claude Desktop. Download once, then upload the file in the app — no terminal needed.

Need help? View full Cowork setup guide →

Install manually

Choose your platform

# Clone the repo
git clone https://github.com/moonming/a6.git

# Copy into Claude Code skills folder (global)
cp -r a6/skills/a6-plugin-cors ~/.claude/skills/

Claude Code Skills — official skills path docs.

Repository

moonming/a6

Compatible with

Claude Code

OpenAI Codex CLI

ChatGPT