Simple Object Storage’s CORS (Cross-Origin Resource Sharing) support lets you configure access to your buckets from browser-based applications and websites. CORS rules are applied to entire buckets and all the objects they contain.

CORS configuration format

A CORS configuration is an XML document containing a set of rules. Each rule defines a set of allowed HTTP origins, methods, and headers.

Here is an example CORS configuration:


This configuration allows all HTTP methods from the origin, and all headers starting with Content-. For all other origins, the GET method is allowed.

You can use wildcards (*) in allowed origins, methods and headers. Wildcards in allowed headers are limited to prefix matches.

A single rule can contain multiple <AllowedOrigin>, <AllowedMethod> and <AllowedHeader> elements.


<AllowedMethod> supports the following values:

  • HEAD
  • GET
  • POST
  • PUT


<AllowedOrigin> specifies the origins from which you want to allow cross-domain requests. You can choose an exact match ( or a match with the wildcard character (https://* If you set <AllowedOrigin> to *, it allows all origins.

Additional elements

Each <CORSRule> element additionally supports the following elements:

  • <MaxAgeSeconds>: controls the browser’s cache for the OPTIONS response. Caching responses helps the browser avoid making repeated OPTIONS calls if the original request is being repeated. To set a 5-minute cache, set <MaxAgeSeconds> to 300.

  • <ExposeHeader>: a comma-separated list of headers that SOS can send back in its responses, making them available to your JavaScript application code.

Managing CORS configuration in the Portal

CORS configuration can be edited in the Exoscale Portal. Navigate to the bucket list and click on the “Edit” icon next to your bucket. In the CORS tab, paste your XML document.

Managing CORS configuration within the SOS API

The API endpoint for CORS management is https://<bucket-name> See the AWS S3 documentation for details: