Corse allow methods in env options. #683

docs/src/intro.md

@@ -35,6 +35,7 @@ The default application can be customized using environment variables defined in
 
 - `NAME` (str): name of the application. Defaults to `titiler`.
 - `CORS_ORIGINS` (str, `,` delimited origins): allowed CORS origin. Defaults to `*`.
+- `CORS_ALLOW_METHODS` (str, `,` delimited methods): allowed CORS methods. Defaults to `GET`.
 - `CACHECONTROL` (str): Cache control header to add to responses. Defaults to `"public, max-age=3600"`.
 - `ROOT_PATH` (str): path behind proxy.
 - `DEBUG` (str): adds `LoggerMiddleware` and `TotalTimeMiddleware` in the middleware stack.

src/titiler/application/titiler/application/main.py

@@ -120,7 +120,7 @@
         CORSMiddleware,
         allow_origins=api_settings.cors_origins,
         allow_credentials=True,
-        allow_methods=["GET"],
+        allow_methods=api_settings.cors_allow_methods,
         allow_headers=["*"],
     )
 

src/titiler/application/titiler/application/settings.py

@@ -9,6 +9,7 @@ class ApiSettings(BaseSettings):
 
     name: str = "TiTiler"
     cors_origins: str = "*"
+    cors_allow_methods: str = "GET"
     cachecontrol: str = "public, max-age=3600"
     root_path: str = ""
     debug: bool = False
@@ -25,3 +26,8 @@ class ApiSettings(BaseSettings):
     def parse_cors_origin(cls, v):
         """Parse CORS origins."""
         return [origin.strip() for origin in v.split(",")]
+
+    @field_validator("cors_allow_methods")
+    def parse_cors_allow_methods(cls, v):
+        """Parse CORS allowed methods."""
+        return [method.strip().upper() for method in v.split(",")]