Enabling CORS in Drupal 8 on Acquia Cloud Site Factory


Can cross-origin resource sharing (CORS) be enabled on Acquia Cloud Site Factory? The default settings.yml file in ACSF sites does not include CORS, while by default, Drupal 8 includes that code, even if CORS is disabled.

We tried to update the services.yml file in our codebase but it would not allow us to apply the CORS configuration.


Include a separate services.yml in settings.php via a post-settings-php factory hook.

Example code

    enabled: true
    # Specify allowed headers, like 'x-allowed-header'.
    allowedHeaders: ['x-csrf-token','authorization','content-type','accept','origin','x-requested-with']
    # Specify allowed request methods, specify ['*'] to allow all possible ones.
    allowedMethods: ['*']
    # Configure requests allowed from specific origins.
    allowedOrigins: ['http://localhost:3000']
    # Sets the Access-Control-Expose-Headers header.
    exposedHeaders: true
    # Sets the Access-Control-Max-Age header.
    maxAge: 1000
    # Sets the Access-Control-Allow-Credentials header.
    supportsCredentials: false

More information about factory hooks can be found in our documentation on Altering values in settings.php with hooks.


The Acquia Cloud Site Factory connector module modifies the default services.yml.

The drush acsf-init command copies the default services.yml files in settings.php from the acsf_init module folder into the default/sites folder reverting any modifications made to the existing services.yml file. 


Contact supportStill need assistance? Contact Acquia Support