edge-cors-policy is a Kong plugin that enforces CORS decisions at the gateway boundary instead of delegating them to upstream applications.

It validates the incoming Origin, evaluates preflight method and header requests, short-circuits preflight traffic, and emits deterministic CORS response headers.

cd edge-cors-policy
luarocks make

Or install a built rock:

luarocks install kong-plugin-edge-cors-policy-1.0.0-1.all.rock

Enable it in Kong:

export KONG_PLUGINS=bundled,edge-cors-policy

From the external_plugins directory:

luarocks make kong-plugins-bundle-1.0.0-1.rockspec

Then enable the plugin by name:

export KONG_PLUGINS=bundled,edge-cors-policy

• KongPlugin
• KongClusterPlugin
• Ingress
• HTTPRoute

• Parses and validates the Origin header.
• Allows exact origins or host suffixes.
• Handles preflight requests in the plugin without proxying upstream.
• Rejects or silently denies disallowed origins depending on config.
• Extends Vary correctly for cache safety.

• allow_all_origins
• allowed_origins
• allowed_host_suffixes
• allow_methods
• allow_headers
• expose_headers
• allow_credentials
• max_age
• reject_disallowed_origins
• reject_status_code
• allow_private_network

See schema.lua for the exact schema and defaults.