NeuralTrust | The leading security platform for generative AI

The cors policy adds Cross-Origin Resource Sharing headers so browser clients can call the gateway directly. Configure it per policy scope.

Setting	Type	Notes
`allowed_origins`	string[]	Required. `["*"]` or explicit origins.
`allowed_methods`	string[]	`GET` `POST` `PUT` `DELETE` `OPTIONS` `HEAD` `PATCH`.
`allow_credentials`	bool	Cannot be `true` with wildcard origins.
`expose_headers`	string[]	Response headers exposed to the browser.
`max_age`	duration	Preflight cache duration.
`log_violations`	bool	Log disallowed-origin requests.

{
  "slug": "cors",
  "settings": {
    "allowed_origins": ["https://app.example.com"],
    "allowed_methods": ["GET", "POST", "OPTIONS"],
    "allow_credentials": true
  }
}

Server-level CORS

Independently of the policy, a server-level CORS middleware applies to both the admin and proxy planes, driven by environment variables (CORS_ALLOW_ORIGINS, CORS_ALLOW_METHODS, CORS_ALLOW_HEADERS, CORS_EXPOSE_HEADERS, CORS_ALLOW_CREDENTIALS, CORS_MAX_AGE). Use the env-level config for a coarse default and the policy for per-route control. See Configuration.

Semantic cache

MCP plane

​Server-level CORS

Server-level CORS