How to Configure CORS on DigitalOcean Spaces

Spaces is an S3-compatible object storage service that lets you store and serve large amounts of data. Each Space is a bucket for you to store and serve files. The free, built-in Spaces CDN minimizes page load times, improves performance, and reduces bandwidth and infrastructure costs.


Client web applications loaded in one domain can interact with resources in a Spaces bucket with Cross-Origin Resource Sharing (CORS) configured.

To configure CORS for a bucket, navigate to its Settings page. In the CORS Configurations section, click Add.

The Advanced CORS Options window

This opens the Advanced CORS Options window, which lets you set the following advanced CORS options:

  • Origin: Specifies the complete domain of the client you want to access your bucket’s resources. The domain should start with a protocol identifier, such as http, end with a hostname or hostname and port, and optionally include a wildcard character (*) at the start of the hostname. For example, https://*.example.com. All other settings are only applied to requests from this Origin.

  • Allowed Methods: Determines which API methods can interact with your bucket. You can allow or prohibit the following methods:

    • GET: Downloads a resource.
    • PUT: Updates a resource’s properties or information.
    • DELETE: Deletes a resource.
    • POST: Creates a new resource.
    • HEAD: Retrieves a resource’s metadata, such as its file size.
  • Allowed Headers: Determines which non-default headers are accepted in your bucket. To verify that an incoming HTTP request abides by your CORS settings, your bucket checks the request’s list of headers. Each header describes a property of the request. For example, Content-Length and Content-Type are some of the default headers that CORS automatically accepts. However, if your client sends any non-default headers, you must first add them in your CORS configuration.

  • Access Control Max Age: Determines how long a request’s verification is cached, in seconds. While verification is cached, the bucket can accept more requests from the same origin without needing to be verified, which improves performance. The recommended value is 5 seconds. Lower values may be useful during development, and higher values may be useful if a single browser is issuing many requests at once. Some browsers may also limit this value to as high as 10 minutes.