Skip to content

docs: Reorganize CORS documentation #526

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
jcaudle wants to merge 1 commit into
base: main
Choose a base branch
from
Open

docs: Reorganize CORS documentation #526

jcaudle wants to merge 1 commit into from

Conversation

@jcaudle
Copy link
Contributor

@jcaudle jcaudle commented Dec 9, 2025

This change reorganizes some of the guidance in the CORS documentation to provide a more guided approach to developers trying to implement Apollo MCP Server.

@jcaudle
docs: Reorganize CORS documentation
8804835 
This change reorganizes some of the guidance in the CORS documentation to provide a more guided approach to developers trying to implement Apollo MCP Server.
@jcaudle jcaudle requested review from a team as code owners December 9, 2025 23:38
@apollo-librarian
Copy link

apollo-librarian bot commented Dec 9, 2025
edited
Loading

✅ Docs preview ready

The preview is ready to be viewed. View the preview

File Changes

0 new, 1 changed, 0 removed 
* (developer-tools)/apollo-mcp-server/(latest)/cors.mdx

Build ID: 8ddf68f1ffd3a2fa8e97fef1
Build Logs: View logs

URL: https://www.apollographql.com/docs/deploy-preview/8ddf68f1ffd3a2fa8e97fef1

mabuyo
mabuyo requested changes Dec 10, 2025
View reviewed changes
Copy link
Contributor

@mabuyo mabuyo left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is a really great improvement! Had a couple suggestions

docs/source/cors.mdx

### Configuring Allowed Origins

You must specify which browser origins are allowed to access your MCP Server.
Copy link
Contributor

@mabuyo mabuyo Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we add one more sentence after this just introducing the subheadings below? To signal that there's more than one way to do so.

Wondering if we can also match headings to look like this:

  • Why it matters
  • Enabling CORS
  • Configuring allowed origins
    • Allow any origin
    • Specific origins
    • Match origins
  • Passing credentials
  • All cors options
  • Common configurations
    • Development setup
    • Production setup
    • Public API setup
  • Browser integration example

So going up to an H2 for Configuring allowed origins and H3 for subheadings so they show up in the ToC. (I slightly tweaked the heading titles too) What do you think?

docs/source/cors.mdx
#
# An origin is a combination of scheme, hostname and port.
# It does not have any path section, so no trailing slash.
If you set `allow_any_origin` to `true` (the default is `false`), Apollo MCP Server will respond with `Access-Control-Allow-Origin: *` in all CORS responses. This means that _any_ website can initiate browser connections. It is important to note that your client will not be able to authenticate to your MCP Server if you use this configuration.
Copy link
Contributor

@mabuyo mabuyo Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we pull out the "it is important to note" to a <Note> component?

docs/source/cors.mdx
```

You can also disable CORS entirely by setting `enabled` to `false` or omitting the `cors` section:
Setting `origins` to any list of URLs restricts access to only those specific servers. If you have a known list of web applications accessing your MCP server, you should use this option. An origin is a combination of protocol, hostname, and port. It does not have a path section, so there should be no trailing slash.
Copy link
Contributor

@mabuyo mabuyo Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Setting `origins` to any list of URLs restricts access to only those specific servers. If you have a known list of web applications accessing your MCP server, you should use this option. An origin is a combination of protocol, hostname, and port. It does not have a path section, so there should be no trailing slash.
Set `origins` to a list of URLs to restrict access to specific servers. Use this option if you have a known list of web applications accessing your MCP server. An origin is a combination of protocol, hostname, and port. Origins do not include a path, so do not include a trailing slash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mabuyo mabuyo mabuyo requested changes

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jcaudle @mabuyo