From 7217a8c93fc7c8f468e789748365192befe10b78 Mon Sep 17 00:00:00 2001 From: David Pine Date: Tue, 10 Sep 2024 14:35:25 -0500 Subject: [PATCH 1/8] Added OTLP dashboard bits --- docs/fundamentals/dashboard/configuration.md | 30 +++++++++++++++++++- 1 file changed, 29 insertions(+), 1 deletion(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index 1f64f36ee2..f61509b9cd 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -1,7 +1,7 @@ --- title: .NET Aspire dashboard configuration description: .NET Aspire dashboard configuration options -ms.date: 05/30/2024 +ms.date: 09/10/2024 ms.topic: reference --- @@ -104,6 +104,34 @@ API key authentication works by requiring each OTLP request to have a valid `x-o | `Dashboard:Otlp:PrimaryApiKey` | `null` | Specifies the primary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is required if auth mode is API key. | | `Dashboard:Otlp:SecondaryApiKey` | `null` | Specifies the secondary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is optional. If a second API key is specified then the incoming `x-otlp-api-key` header value can match either the primary or secondary key. | +### OTLP CORS + +CORS (Cross-Origin Resource Sharing) is a mechanism that allows many resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. + +With the .NET Aspire dashboard, the OTLP endpoint can be configured to allow cross-origin requests. This is useful when the dashboard is hosted on a different domain than the OTLP endpoint, and this can enable scenarios where browser telemetry is sent directly to the OTLP endpoint as demonstrated in the [browser telemetry](https://github.com/dotnet/aspire/tree/main/playground/BrowserTelemetry) sample. + +To configure CORS, use the `Dashboard:Otlp:Cors` section and specify the allowed origins and headers: + +```json +{ + "Dashboard": { + "Otlp": { + "Cors": { + "AllowedOrigins": [ "https://example.com" ], + "AllowedHeaders": [ "Content-Type" ] + } + } + } +} +``` + +Consider the following configuration options: + +| Option | Default Value | Description | +|--|--|--| +| `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited list of allowed origins for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedOrigins`. | +| `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited list of allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | + ### Resources The dashboard connects to a resource service to load and display resource information. The client is configured in the dashboard for how to connect to the service. From daeca8c7d07c0292218918b20f330e41dc130895 Mon Sep 17 00:00:00 2001 From: David Pine Date: Tue, 10 Sep 2024 14:43:35 -0500 Subject: [PATCH 2/8] Demote a few headings --- docs/fundamentals/dashboard/configuration.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index f61509b9cd..7970fcd8d0 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -62,7 +62,7 @@ Alternatively, these same values could be configured using a JSON configuration > > For more information, see [dashboard security](security-considerations.md). -### Common configuration +## Common configuration | Option | Default Value | Description | |--|--|--| @@ -73,7 +73,7 @@ Alternatively, these same values could be configured using a JSON configuration | `DOTNET_DASHBOARD_CONFIG_FILE_PATH` | `null` | The path for a JSON configuration file. If the dashboard is being run in a Docker container, then this is the path to the configuration file in a mounted volume. This value is optional. | | `DOTNET_RESOURCE_SERVICE_ENDPOINT_URL` | `null` | The gRPC endpoint to which the dashboard connects for its data. If this value is unspecified, the dashboard shows telemetry data but no resource list or console logs. This setting is a shortcut to `Dashboard:ResourceServiceClient:Url`. | -### Frontend authentication +## Frontend authentication The dashboard frontend endpoint authentication is configured with `Dashboard:Frontend:AuthMode`. The frontend can be secured with OpenID Connect (OIDC) or browser token authentication. @@ -92,7 +92,7 @@ Browser token authentication works by the frontend asking for a token. The token | `Authentication:Schemes:OpenIdConnect:ClientSecret` | `null` | A secret that only the real RP would know. | | Other properties of | `null` | Values inside configuration section `Authentication:Schemes:OpenIdConnect:*` are bound to `OpenIdConnectOptions`, such as `Scope`. | -### OTLP authentication +## OTLP authentication The OTLP endpoint authentication is configured with `Dashboard:Otlp:AuthMode`. The OTLP endpoint can be secured with an API key or [client certificate](/aspnet/core/security/authentication/certauth) authentication. @@ -104,7 +104,7 @@ API key authentication works by requiring each OTLP request to have a valid `x-o | `Dashboard:Otlp:PrimaryApiKey` | `null` | Specifies the primary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is required if auth mode is API key. | | `Dashboard:Otlp:SecondaryApiKey` | `null` | Specifies the secondary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is optional. If a second API key is specified then the incoming `x-otlp-api-key` header value can match either the primary or secondary key. | -### OTLP CORS +## OTLP CORS CORS (Cross-Origin Resource Sharing) is a mechanism that allows many resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. @@ -132,7 +132,7 @@ Consider the following configuration options: | `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited list of allowed origins for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedOrigins`. | | `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited list of allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | -### Resources +## Resources The dashboard connects to a resource service to load and display resource information. The client is configured in the dashboard for how to connect to the service. @@ -150,7 +150,7 @@ The resource service client authentication is configured with `Dashboard:Resourc | `Dashboard:ResourceServiceClient:ClientCertificate:Store` | `My` | The certificate . | | `Dashboard:ResourceServiceClient:ClientCertificate:Location` | `CurrentUser` | The certificate . | -#### Telemetry limits +### Telemetry limits Telemetry is stored in memory. To avoid excessive memory usage, the dashboard has limits on the count and size of stored telemetry. When a count limit is reached, new telemetry is added, and the oldest telemetry is removed. When a size limit is reached, data is truncated to the limit. @@ -168,7 +168,7 @@ Telemetry limits have different scopes depending upon the telemetry type: | `Dashboard:TelemetryLimits:MaxAttributeLength` | `null` | The maximum length of attributes. | | `Dashboard:TelemetryLimits:MaxSpanEventCount` | `null` | The maximum number of events on span attributes. | -### Other +## Other | Option | Default Value | Description | |--|--|--| From 92abd746e5b7a9fbb01f2127b5e8bc3a5b9f179c Mon Sep 17 00:00:00 2001 From: David Pine Date: Tue, 10 Sep 2024 15:01:48 -0500 Subject: [PATCH 3/8] Edit pass --- docs/fundamentals/dashboard/configuration.md | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index 7970fcd8d0..a6b90cbff1 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -7,11 +7,11 @@ ms.topic: reference # Dashboard configuration -The dashboard is configured when it starts up. Configuration includes frontend and OTLP addresses, the resource service endpoint, authentication, telemetry limits, and more. +The dashboard is configured when it starts up. Configuration includes frontend and OpenTelemetry Protocol (OTLP) addresses, the resource service endpoint, authentication, telemetry limits, and more. -If the dashboard is launched by the .NET Aspire app host project, then it's automatically configured to display the app's resources and telemetry. Configuration is provided when launching the dashboard in [standalone mode](overview.md#standalone-mode). +When the dashboard is launched with the .NET Aspire app host project, it's automatically configured to display the app's resources and telemetry. Configuration is provided when launching the dashboard in [standalone mode](overview.md#standalone-mode). -There are a number of ways to provide configuration: +There are many ways to provide configuration: - Command line arguments. - Environment variables. The `:` delimiter should be replaced with double underscore (`__`) in environment variable names. @@ -77,14 +77,14 @@ Alternatively, these same values could be configured using a JSON configuration The dashboard frontend endpoint authentication is configured with `Dashboard:Frontend:AuthMode`. The frontend can be secured with OpenID Connect (OIDC) or browser token authentication. -Browser token authentication works by the frontend asking for a token. The token can either be entered in the UI or provided as a query string value to the login page. For example, `https://localhost:1234/login?t=TheToken`. When the token is successfully authenticated an auth cookie is persisted to the browser and the browser is redirected to the app. +Browser token authentication works by the frontend asking for a token. The token can either be entered in the UI or provided as a query string value to the login page. For example, `https://localhost:1234/login?t=TheToken`. When the token is successfully authenticated an auth cookie is persisted to the browser, and the browser is redirected to the app. | Option | Default Value | Description | |--|--|--| | `Dashboard:Frontend:AuthMode` | `BrowserToken` | Can be set to `BrowserToken`, `OpenIdConnect` or `Unsecured`. `Unsecured` should only be used during local development. It's not recommended when hosting the dashboard publicly or in other settings. | -| `Dashboard:Frontend:BrowserToken` | `null` | Specifies the browser token. If the browser token isn't specified, then the dashboard will generate one. Tooling that wants to automate logging in with browser token authentication can specify a token and open a browser with the token in the query string. A new token should be generated each time the dashboard is launched. | -| `Dashboard:Frontend:OpenIdConnect:NameClaimType` | `name` | Specifies the claim type(s) that should be used to display the authenticated user's full name. Can be a single claim type or a comma-delimited list of claim types. | -| `Dashboard:Frontend:OpenIdConnect:UsernameClaimType` | `preferred_username` | Specifies the claim type(s) that should be used to display the authenticated user's username. Can be a single claim type or a comma-delimited list of claim types. | +| `Dashboard:Frontend:BrowserToken` | `null` | Specifies the browser token. If the browser token isn't specified, then the dashboard generates one. Tooling that wants to automate logging in with browser token authentication can specify a token and open a browser with the token in the query string. A new token should be generated each time the dashboard is launched. | +| `Dashboard:Frontend:OpenIdConnect:NameClaimType` | `name` | Specifies one or more claim types that should be used to display the authenticated user's full name. Can be a single claim type or a comma-delimited list of claim types. | +| `Dashboard:Frontend:OpenIdConnect:UsernameClaimType` | `preferred_username` | Specifies one or more claim types that should be used to display the authenticated user's username. Can be a single claim type or a comma-delimited list of claim types. | | `Dashboard:Frontend:OpenIdConnect:RequiredClaimType` | `null` | Specifies the claim that must be present for authorized users. Authorization fails without this claim. This value is optional. | | `Dashboard:Frontend:OpenIdConnect:RequiredClaimValue` | `null` | Specifies the value of the required claim. Only used if `Dashboard:Frontend:OpenIdConnect:RequireClaimType` is also specified. This value is optional. | | `Authentication:Schemes:OpenIdConnect:Authority` | `null` | URL to the identity provider (IdP). | @@ -102,11 +102,11 @@ API key authentication works by requiring each OTLP request to have a valid `x-o |--|--|--| | `Dashboard:Otlp:AuthMode` | `Unsecured` | Can be set to `ApiKey`, `Certificate` or `Unsecured`. `Unsecured` should only be used during local development. It's not recommended when hosting the dashboard publicly or in other settings. | | `Dashboard:Otlp:PrimaryApiKey` | `null` | Specifies the primary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is required if auth mode is API key. | -| `Dashboard:Otlp:SecondaryApiKey` | `null` | Specifies the secondary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is optional. If a second API key is specified then the incoming `x-otlp-api-key` header value can match either the primary or secondary key. | +| `Dashboard:Otlp:SecondaryApiKey` | `null` | Specifies the secondary API key. The API key can be any text, but a value with at least 128 bits of entropy is recommended. This value is optional. If a second API key is specified, then the incoming `x-otlp-api-key` header value can match either the primary or secondary key. | ## OTLP CORS -CORS (Cross-Origin Resource Sharing) is a mechanism that allows many resources (e.g., fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. +CORS (Cross-Origin Resource Sharing) is a mechanism that allows many resources (for example, fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. With the .NET Aspire dashboard, the OTLP endpoint can be configured to allow cross-origin requests. This is useful when the dashboard is hosted on a different domain than the OTLP endpoint, and this can enable scenarios where browser telemetry is sent directly to the OTLP endpoint as demonstrated in the [browser telemetry](https://github.com/dotnet/aspire/tree/main/playground/BrowserTelemetry) sample. From 8c9b02c6cd4089a91fe5fa563eefac8c699fdf56 Mon Sep 17 00:00:00 2001 From: David Pine Date: Wed, 11 Sep 2024 07:21:58 -0500 Subject: [PATCH 4/8] Apply suggestions from code review Co-authored-by: James Newton-King --- docs/fundamentals/dashboard/configuration.md | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index a6b90cbff1..105417e866 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -106,9 +106,11 @@ API key authentication works by requiring each OTLP request to have a valid `x-o ## OTLP CORS -CORS (Cross-Origin Resource Sharing) is a mechanism that allows many resources (for example, fonts, JavaScript, etc.) on a web page to be requested from another domain outside the domain from which the resource originated. +CORS (Cross-Origin Resource Sharing) can be configured to allow browser apps to send telemetry to the dashboard. -With the .NET Aspire dashboard, the OTLP endpoint can be configured to allow cross-origin requests. This is useful when the dashboard is hosted on a different domain than the OTLP endpoint, and this can enable scenarios where browser telemetry is sent directly to the OTLP endpoint as demonstrated in the [browser telemetry](https://github.com/dotnet/aspire/tree/main/playground/BrowserTelemetry) sample. +By default, browser apps are restricted from making cross domain API calls. This impacts sending telemetry to the dashboard because the dashboard and the browser app are always on different domains. Configuring CORS in the .NET Aspire dashboard removes the restriction and allows browser apps with the [OpenTelemetry SDK for JavaScript](https://opentelemetry.io/docs/languages/js/) to send telemetry directly to the dashboard OTLP HTTP endpoint. + +Using CORS, the dashboard and browser telemetry together is demonstrated in the [browser telemetry](https://github.com/dotnet/aspire/tree/main/playground/BrowserTelemetry) sample. To configure CORS, use the `Dashboard:Otlp:Cors` section and specify the allowed origins and headers: @@ -117,8 +119,7 @@ To configure CORS, use the `Dashboard:Otlp:Cors` section and specify the allowed "Dashboard": { "Otlp": { "Cors": { - "AllowedOrigins": [ "https://example.com" ], - "AllowedHeaders": [ "Content-Type" ] + "AllowedOrigins": "http://localhost:5000,https://localhost:5001" } } } From 59df278e7d1420131b7602de1faae3195b119222 Mon Sep 17 00:00:00 2001 From: David Pine Date: Wed, 11 Sep 2024 08:20:44 -0500 Subject: [PATCH 5/8] Add an alert about allow methods --- docs/fundamentals/dashboard/configuration.md | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index 105417e866..6d7887a6ea 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -68,7 +68,7 @@ Alternatively, these same values could be configured using a JSON configuration |--|--|--| | `ASPNETCORE_URLS` | `http://localhost:18888` | One or more HTTP endpoints through which the dashboard frontend is served. The frontend endpoint is used to view the dashboard in a browser. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. | | `DOTNET_DASHBOARD_OTLP_ENDPOINT_URL` | `http://localhost:18889` | The [OTLP/gRPC](https://opentelemetry.io/docs/specs/otlp/#otlpgrpc) endpoint. This endpoint hosts an OTLP service and receives telemetry using gRPC. When the dashboard is launched by the .NET Aspire app host this address is secured with HTTPS. Securing the dashboard with HTTPS is recommended. | -| `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` | `http://localhost:18890` | The [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. When the dashboard is launched by the .NET Aspire app host the OTLP/HTTP endpoint isn't configured by default. To configure an OTLP/HTTP endpoint with the app host, set an `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` env var value in `launchSettings.json`. Securing the dashboard with HTTPS is recommended. | +| `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` | `http://localhost:18890` | The [OTLP/HTTP](https://opentelemetry.io/docs/specs/otlp/#otlphttp) endpoint. This endpoint hosts an OTLP service and receives telemetry using Protobuf over HTTP. When the dashboard is launched by the .NET Aspire app host the OTLP/HTTP endpoint isn't configured by default. To configure an OTLP/HTTP endpoint with the app host, set an `DOTNET_DASHBOARD_OTLP_HTTP_ENDPOINT_URL` env var value in _launchSettings.json_. Securing the dashboard with HTTPS is recommended. | | `DOTNET_DASHBOARD_UNSECURED_ALLOW_ANONYMOUS` | `false` | Configures the dashboard to not use authentication and accepts anonymous access. This setting is a shortcut to configuring `Dashboard:Frontend:AuthMode` and `Dashboard:Otlp:AuthMode` to `Unsecured`. | | `DOTNET_DASHBOARD_CONFIG_FILE_PATH` | `null` | The path for a JSON configuration file. If the dashboard is being run in a Docker container, then this is the path to the configuration file in a mounted volume. This value is optional. | | `DOTNET_RESOURCE_SERVICE_ENDPOINT_URL` | `null` | The gRPC endpoint to which the dashboard connects for its data. If this value is unspecified, the dashboard shows telemetry data but no resource list or console logs. This setting is a shortcut to `Dashboard:ResourceServiceClient:Url`. | @@ -133,6 +133,9 @@ Consider the following configuration options: | `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited list of allowed origins for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedOrigins`. | | `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited list of allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | +> [!IMPORTANT] +The dashboard only supports the `POST` method for sending telemetry and doesn't allow configuration of the _allowed methods_ (`Access-Control-Allow-Methods`) for CORS. + ## Resources The dashboard connects to a resource service to load and display resource information. The client is configured in the dashboard for how to connect to the service. From c2cb6b45437afe3dd20b1b1828068c81ac51aa33 Mon Sep 17 00:00:00 2001 From: David Pine Date: Wed, 11 Sep 2024 07:57:13 -0500 Subject: [PATCH 6/8] Addressing feedback --- docs/fundamentals/dashboard/configuration.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index 6d7887a6ea..4d96cfb92d 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -1,7 +1,7 @@ --- title: .NET Aspire dashboard configuration description: .NET Aspire dashboard configuration options -ms.date: 09/10/2024 +ms.date: 09/11/2024 ms.topic: reference --- @@ -130,8 +130,8 @@ Consider the following configuration options: | Option | Default Value | Description | |--|--|--| -| `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited list of allowed origins for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedOrigins`. | -| `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited list of allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | +| `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited string, representing the allowed origins for CORS. The `*` represents a wildcard allowing any domain. An example domain would be a browser app that wants to send telemetry directly to the dashboard. This setting is optional and maps to the `Dashboard:Otlp:Cors:AllowedOrigins` configuration. | +| `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited string, representing the allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | > [!IMPORTANT] The dashboard only supports the `POST` method for sending telemetry and doesn't allow configuration of the _allowed methods_ (`Access-Control-Allow-Methods`) for CORS. From 37df2101c0596f57f9d0f41db2ee2775fede493d Mon Sep 17 00:00:00 2001 From: David Pine Date: Wed, 11 Sep 2024 08:26:58 -0500 Subject: [PATCH 7/8] Fix alert syntax --- docs/fundamentals/dashboard/configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index 4d96cfb92d..758dc8bc51 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -133,8 +133,8 @@ Consider the following configuration options: | `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited string, representing the allowed origins for CORS. The `*` represents a wildcard allowing any domain. An example domain would be a browser app that wants to send telemetry directly to the dashboard. This setting is optional and maps to the `Dashboard:Otlp:Cors:AllowedOrigins` configuration. | | `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited string, representing the allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | -> [!IMPORTANT] -The dashboard only supports the `POST` method for sending telemetry and doesn't allow configuration of the _allowed methods_ (`Access-Control-Allow-Methods`) for CORS. +> [!NOTE] +> The dashboard only supports the `POST` method for sending telemetry and doesn't allow configuration of the _allowed methods_ (`Access-Control-Allow-Methods`) for CORS. ## Resources From 0d019148721109df65811f9f48ed936de025de65 Mon Sep 17 00:00:00 2001 From: David Pine Date: Wed, 11 Sep 2024 09:44:14 -0500 Subject: [PATCH 8/8] Update table --- docs/fundamentals/dashboard/configuration.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/fundamentals/dashboard/configuration.md b/docs/fundamentals/dashboard/configuration.md index 758dc8bc51..3c50774a71 100644 --- a/docs/fundamentals/dashboard/configuration.md +++ b/docs/fundamentals/dashboard/configuration.md @@ -130,8 +130,8 @@ Consider the following configuration options: | Option | Default Value | Description | |--|--|--| -| `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` | `null` | A comma-delimited string, representing the allowed origins for CORS. The `*` represents a wildcard allowing any domain. An example domain would be a browser app that wants to send telemetry directly to the dashboard. This setting is optional and maps to the `Dashboard:Otlp:Cors:AllowedOrigins` configuration. | -| `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` | `null` | A comma-delimited string, representing the allowed headers for CORS. This setting is optional and a shortcut to `Dashboard:Otlp:Cors:AllowedHeaders`. | +| `Dashboard:Otlp:Cors:AllowedOrigins` | `null` | Specifies the allowed origins for CORS. It's a comma-delimited string and can include the `*` wildcard to allow any domain. This option is optional and can be set using the `DASHBOARD__OTLP__CORS__ALLOWEDORIGINS` environment variable. | +| `Dashboard:Otlp:Cors:AllowedHeaders` | `null` | A comma-delimited string representing the allowed headers for CORS. This setting is optional and can be set using the `DASHBOARD__OTLP__CORS__ALLOWEDHEADERS` environment variable. | > [!NOTE] > The dashboard only supports the `POST` method for sending telemetry and doesn't allow configuration of the _allowed methods_ (`Access-Control-Allow-Methods`) for CORS.