---
title: "Cross-Origin Resource Sharing (CORS)"
slug: "cross-origin-resource-sharing-cors"
description: "Bucket-level cross-origin resource sharing (CORS) is a mechanism that allows you to authorize resource sharing of your bucket with external third parties (\"origins\"). Set up CORS through the Permissions tab in bucket Settings."
updated: 2025-12-30T22:21:26Z
published: 2025-12-30T22:21:26Z
excludeFromExternalSearch: true
---

> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt
> Use this file to discover all available pages before exploring further.

# Cross Origin Resource Sharing (CORS)

CORS defines a way for client web applications loaded in one domain to interact with resources in a different domain. This lets you utilize resources in different buckets across Wasabi accounts for your web applications.

> Wasabi’s CORS implementation handles basic cross-origin scenarios but does not perform full CORS validation or return full CORS responses for some request types. We are actively working to expand coverage.

Wasabi maintains a default CORS configuration. Alternatively, you can write a CORS configuration within the **Permissions**tab of the **Bucket Settings**. If you define a CORS configuration (described below), the default configuration is overwritten. If you delete a custom CORS configuration, the default configuration is used.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1727391950610.png)

Using the **Cross-Origin Resource Sharing (CORS)**option, you can configure CORS formatted in JSON by defining a configuration with rules for a bucket. The bucket configuration might include:

- **Allowed Methods**, which are HTTP methods (GET, HEAD, PUT, POST, DELETE, or MOVE) that you want to support for each allowed origin (third-party URL).
- **Allowed Origins**to identify the third-party URLs (the cross-origins) that will be allowed to access your bucket. To grant access to multiple origins, use a comma-separated list or wildcard character (*).
- **Exposed Headers**identify headers in the response to which you want to allow access from the applications.

## Defining a CORS Configuration

1. On the Buckets list, click ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1698327400423.png) for the desired bucket.
2. Click **Settings**.
3. Click the **Permissions**tab.
4. Click **Cross-Origin Resource Sharing (CORS)**at the bottom of the screen.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1727392288738.png)
5. Click **Edit**.

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1727392092282.png)
6. Enter the CORS configuration. A valid format for the configuration is a JSON array with rules defined as objects. For example:

![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1730735278602.png)
7. When you see ![](https://cdn.document360.io/bef0a1ea-7768-4d5a-b520-c4fe2f7fafad/Images/Documentation/image-1708601686470.png) you can click **Save**to create the configuration.

## Default CORS Configuration

If the user-defined CORS configuration is not saved in the editor (above), the [default CORS configuration](https://docs.wasabi.com/apidocs/bucket-cors-support-with-the-wasabi-s3-api) is applied to the bucket.