Show Navigation


Add Cross-Origin Resource Sharing (CORS) headers for Grails 3 applications.

Owner: appcela | 1.2.1 | Nov 7, 2017 | Package | Issues | Source | License: MIT

dependencies {
    compile 'org.grails.plugins:grails3-cors-interceptor:1.2.1'



Add Cross-Origin Resource Sharing (CORS) headers for Grails 3 applications.

Grails 3.2.2+

For Grails 3.2.2+, please use the Grails built-in CORS support, you no longer need this plugin.

Grails 3.0.x - 3.2.1 Only

This plugin will add a new Interceptor (see Grails 3 Interceptor API) to your Grails app that adds CORS headers to all your controllers and actions.

This plugin has only been tested with Grails 3.0., 3.0.15, 3.1.4 and 3.2.0, 3.2.1

  • for Grails 3.1.4+, please use version 1.2.1
  • for Grails 3.0.15+, please use version 0.1.5
  • for Grails 3.0.4 - 3.0.14, please use version 0.1.2

Grails 2.x

For Grails 2.x app, please use the execellent CORS Plugin. In fact, this plugin is based on the Grails 3 servlet filter code provided in the README by that plugin author. The filter code is rewritten as interceptor for this plugin.


1. Add Plugin Dependency

Add the following dependency to your Grails app,


compile "org.grails.plugins:grails3-cors-interceptor:1.2.1"

2. (Optional) Add HTTP OPTIONS Method URL Mapping

For Grails 3.1.4+, this step is no longer needed. Please skip it.

To support the preflight CORS request with HTTP OPTIONS method, url mappings for OPTIONS method must be added explicitly.


"/books"(resources:'book') // mapping to REST resource "book"
"/books/$id?"(controller:'book', method: 'OPTIONS') // explicitly map OPTIONS method to "book" REST controller

3. (Optional) Configuration Settings


    includeEnvironments: ['development', 'test']
    excludeEnvironments: ['production']
    allowedOrigins: ['']
    allowedHeaders: ['my-authorization-header', 'origin', 'content-type', 'accept']
  • includeEnvironments - include this plugin only in the environments listed (default to all environments)
  • excludeEnvironments - exclude this plugin from the environments listed (default to null)
  • allowedOrigins - white list for allowed origins (default to all origins without restrictions)
  • allowedHeaders - custom headers to be used in "Access-Control-Allow-Headers" (default to ["origin", "authorization", "accept", "content-type", "x-requested-with"])

Working with Spring Security Core or Spring Security REST Plugins

See the sample app grails3-cors-interceptor-spring-security-rest-sample-app for detailed instructions on how to get grails3-cors-interceptor working with Spring Security Core or Spring Security REST plugin.