# cors configuration if ($request_method ~* "(GET|POST)") {

1. # cors configuration
2.  
3. if ($request_method ~* "(GET|POST)") {
4. add_header "Access-Control-Allow-Origin" *;
5. }
6. # whitelist of allowed domains, via a regular expression
7. # if ($http_origin ~* (http://localhost(:[0-9]+)?)) {
8. if ($http_origin ~* .*) { # wideopen, for local development. tailor your regex as needed
9. set $cors "true";
10. }
11.  
12. # apparently, the following three if statements create a flag for "compound conditions"
13. if ($request_method = OPTIONS) {
14. set $cors "${cors}options";
15. }
16.  
17. if ($request_method = GET) {
18. set $cors "${cors}get";
19. }
20.  
21. if ($request_method = POST) {
22. set $cors "${cors}post";
23. }
24.  
25. # now process the flag
26. if ($cors = 'trueget') {
27. add_header 'Access-Control-Allow-Origin' "$http_origin";
28. add_header 'Access-Control-Allow-Credentials' 'true';
29. }
30.  
31. if ($cors = 'truepost') {
32. add_header 'Access-Control-Allow-Origin' "$http_origin";
33. add_header 'Access-Control-Allow-Credentials' 'true';
34. }
35.  
36. if ($cors = 'trueoptions') {
37. add_header 'Access-Control-Allow-Origin' "$http_origin";
38. add_header 'Access-Control-Allow-Credentials' 'true';
39.  
40. add_header 'Access-Control-Max-Age' 120; # cache preflight value in seconds. 300=5 min ; 1728000==20 days
41. add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
42. add_header 'Access-Control-Allow-Headers' 'Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';
43. #add_header 'Access-Control-Allow-Headers' 'Origin, Content-Type, Accept, Authorization, X-Requested-With, Accept-Error, X-CSRF-TOKEN';
44.  
45. add_header 'Content-Length' 0;
46. add_header 'Content-Type' 'text/plain charset=UTF-8';
47. return 204;
48. }