Cross Origin Resource Sharing (CORS) Restriction rule
Sets the appropriate headers for browser-based requests so that the browser doesn't block the
response. This rule doesn't apply to non-browser based applications. Browsers have a same-origin policy
that doesn't permit
requests to any domain except the one serving the web page. For such requests, browsers make a pre-flight request to the target server.
The response can contain headers that indicate which origins are allowed to access the resource.
For example, if a web page on example.com wants to access data from an API hosted on api.example.org,
the server hosting the API configures CORS to allow requests from example.com.
The CORS Restriction rule includes
response headers for Access-Control-Allow-Methods,
Access-Control-Allow-Origin, and Access-Control-Expose-Headers.
request.remoteUser or
request.isUserInRole() functions with the Early Request Validator rule,
which is applied before authentication. Instead, use the Authorized Request Validator rule
and set the Condition parameter to the Boolean returned by these functions. Rule execution order
This rule executes before all rules in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the endpoint.
| Field | Description |
|---|---|
| When this rule should be applied | An expression that defines one or more conditions that must be
true for the rule to execute.
Default value: N/A Example: The expression |
| Access Control Request Methods | Allowed request methods. Supported methods are POST, PUT, GET, DELETE, OPTIONS, PATCH.
Default value: All methods selected. Example: |
| Access Control Request Headers | Required. The list of allowed request headers, in addition to the CORS safe headers.
Example: X-Custom-Header |
| Access Control Max Age | The time period for which browser needs to cache the endpoint for pre-flight requests.
Default value: 300 Example: 175 |
| Access Control Allow Credentials | Allowed response headers if APIM end points adds new headers as part of response.
Default value: Enabled Example: Disabled |
| Description |
Required. A brief description of this rule. Default value: Requests are having the specified CORS headers added Example: PROD_ENV_CORS |