Clarification needed for config.origins behavior in CORS plugin documentation

[escudev]

Where is the problem?

https://docs.konghq.com/hub/kong-inc/cors/configuration/#config-origins

What happened?

The CORS plugin documentation should clarify that setting config.origins to an empty array [] results in the plugin allowing all origins (*). This behavior is not currently documented and could lead to unintended security risks.

Steps to Reproduce:

1. Configure the CORS plugin with config.origins set to an empty array [].
2. The plugin allows all origins (*) instead of denying all origins.

What did you expect to happen?

The CORS plugin documentation should include a hint in the config.origins section of specify that providing an empty array will result in the plugin allowing all origins (*).

Additional Context:

This clarification is important to prevent potential security risks for clients who might expect that an empty array would deny all origins.

Thank you for considering this request to improve the clarity and security of the CORS plugin documentation.

Víctor Escudero victor.escudero_garcia@mercedes-benz.com on behalf of Mercedes-Benz Tech Innovation GmbH

Code of Conduct and Community Expectations

• I agree to follow this project's Code of Conduct
• I agree to abide by the Community Expectations