fix(core): add obligations X-Rewrap-Additional-Context to default CORS allowed headers (#2901)

jakedoublev · web-flow · commit d86868d6edb9 · 2025-11-13T17:12:17.000Z
### Proposed Changes

* This header is required for obligations and should be defaulted.
* Updates all example yamls with full list of default allowed headers.
* DSPX-1938
diff --git a/opentdf-core-mode.yaml b/opentdf-core-mode.yaml
@@ -38,11 +38,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-dev.yaml b/opentdf-dev.yaml
@@ -134,12 +134,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-ers-mode.yaml b/opentdf-ers-mode.yaml
@@ -75,12 +75,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-example.yaml b/opentdf-example.yaml
@@ -92,12 +92,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/opentdf-kas-mode.yaml b/opentdf-kas-mode.yaml
@@ -88,12 +88,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
diff --git a/service/internal/server/server.go b/service/internal/server/server.go
@@ -124,7 +124,7 @@ type CORSConfig struct {
 	Enabled          bool     `mapstructure:"enabled" json:"enabled" default:"true"`
 	AllowedOrigins   []string `mapstructure:"allowedorigins" json:"allowedorigins"`
 	AllowedMethods   []string `mapstructure:"allowedmethods" json:"allowedmethods" default:"[\"GET\",\"POST\",\"PATCH\",\"DELETE\",\"OPTIONS\"]"`
-	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Content-Type\",\"Content-Length\",\"Accept-Encoding\",\"X-CSRF-Token\",\"Authorization\",\"X-Requested-With\",\"Dpop\",\"Connect-Protocol-Version\"]"`
+	AllowedHeaders   []string `mapstructure:"allowedheaders" json:"allowedheaders" default:"[\"Accept\",\"Accept-Encoding\",\"Authorization\",\"Connect-Protocol-Version\",\"Content-Length\",\"Content-Type\",\"Dpop\",\"X-CSRF-Token\",\"X-Requested-With\",\"X-Rewrap-Additional-Context\"]"`
 	ExposedHeaders   []string `mapstructure:"exposedheaders" json:"exposedheaders"`
 	AllowCredentials bool     `mapstructure:"allowcredentials" json:"allowcredentials" default:"true"`
 	MaxAge           int      `mapstructure:"maxage" json:"maxage" default:"3600"`
diff --git a/service/pkg/server/testdata/all-no-config.yaml b/service/pkg/server/testdata/all-no-config.yaml
@@ -81,12 +81,16 @@ server:
       - OPTIONS
     # List of headers that are allowed in a request
     allowedheaders:
-      - ACCEPT
+      - Accept
+      - Accept-Encoding
       - Authorization
       - Connect-Protocol-Version
+      - Content-Length
       - Content-Type
+      - Dpop
       - X-CSRF-Token
-      - X-Request-ID
+      - X-Requested-With
+      - X-Rewrap-Additional-Context
     # List of response headers that browsers are allowed to access
     exposedheaders:
       - Link
