Cloudflare R2 · Schema

R2 Cors Rule

Object StorageCloud StorageS3-CompatibleEgress-FreeBucketsDeveloper PlatformCloudflare

Properties

Name Type Description
allowed object Object specifying allowed origins, methods and headers for this CORS rule.
exposeHeaders array Specifies the headers that can be exposed back, and accessed by, the JavaScript making the cross-origin request. If you need to access headers beyond the safelisted response headers, such as Content-E
id string Identifier for this rule.
maxAgeSeconds number Specifies the amount of time (in seconds) browsers are allowed to cache CORS preflight responses. Browsers may limit this to 2 hours or less, even if the maximum value (86400) is specified.
View JSON Schema on GitHub

JSON Schema

cloudflare-r2-cors-rule.json Raw ↑ 
{
  "$schema": "http://json-schema.org/draft-07/schema#",
  "$id": "https://raw.githubusercontent.com/api-evangelist/cloudflare-r2/main/json-schema/cloudflare-r2-cors-rule.json",
  "title": "R2 Cors Rule",
  "properties": {
    "allowed": {
      "description": "Object specifying allowed origins, methods and headers for this CORS rule.",
      "properties": {
        "headers": {
          "description": "Specifies the value for the Access-Control-Allow-Headers header R2 sets when requesting objects in this bucket from a browser. Cross-origin requests that include custom headers (e.g. x-user-id) should specify these headers as AllowedHeaders.",
          "items": {
            "example": "x-requested-by",
            "type": "string",
            "x-auditable": true
          },
          "type": "array"
        },
        "methods": {
          "description": "Specifies the value for the Access-Control-Allow-Methods header R2 sets when requesting objects in a bucket from a browser.",
          "items": {
            "enum": [
              "GET",
              "PUT",
              "POST",
              "DELETE",
              "HEAD"
            ],
            "type": "string",
            "x-auditable": true
          },
          "type": "array"
        },
        "origins": {
          "description": "Specifies the value for the Access-Control-Allow-Origin header R2 sets when requesting objects in a bucket from a browser.",
          "items": {
            "example": "http://localhost:3000",
            "type": "string",
            "x-auditable": true
          },
          "type": "array"
        }
      },
      "required": [
        "methods",
        "origins"
      ],
      "type": "object"
    },
    "exposeHeaders": {
      "description": "Specifies the headers that can be exposed back, and accessed by, the JavaScript making the cross-origin request. If you need to access headers beyond the safelisted response headers, such as Content-Encoding or cf-cache-status, you must specify it here.",
      "items": {
        "example": "Content-Encoding",
        "type": "string",
        "x-auditable": true
      },
      "type": "array"
    },
    "id": {
      "description": "Identifier for this rule.",
      "example": "Allow Local Development",
      "type": "string",
      "x-auditable": true
    },
    "maxAgeSeconds": {
      "description": "Specifies the amount of time (in seconds) browsers are allowed to cache CORS preflight responses. Browsers may limit this to 2 hours or less, even if the maximum value (86400) is specified.",
      "example": 3600,
      "type": "number",
      "x-auditable": true
    }
  },
  "required": [
    "allowed"
  ],
  "type": "object"
}