Cross Origin Resource Sharing (CORS) Restriction Policy
Sets the appropriate CORS headers for browser-based requests so that the browser doesn't block the response.
Sets the appropriate headers for browser-based requests so that the browser doesn't block the response. This policy doesn't apply to non-browser based applications. You must apply a policy with a CORS Restriction policy to enable the Try it out feature in the Developer Portal.
Browsers have a
same-origin policy that doesn't permit requests to any domain except the one serving the web page. For
such requests, browsers make a pre-flight request to the target server. The response can contain
headers that indicate which origins are allowed to access the resource. For example, if a web page on
example.com wants to access data from an API hosted on
api.example.org, the server hosting the API configures CORS to allow requests from
example.com.
The CORS Restriction policy includes
response headers for Access-Control-Allow-Methods,
Access-Control-Allow-Origin, and Access-Control-Expose-Headers.
Policy execution order
This policy executes before all policies in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the endpoint.
How OPTIONS requests are handled
If no CORS Restriction policy is applied to an endpoint, the server returns
405 Method Not Allowed for OPTIONS requests and
the API doesn't execute.
When a CORS Restriction policy is applied, the Access Control Allow Origins list determines the behavior:
- With a value specified, an
OPTIONSpre-flight request returns200 OKwith the CORS headers immediately. The API doesn't execute. - With an empty list, the CORS check is skipped entirely and the request continues to the API.
| Field/Field set | Description |
|---|---|
| When this policy should be applied | An expression that defines one or more conditions that must be
true for the policy to execute.
Default value: N/A Example: The expression |
| Access Control Allow Origins | Add the base URLs for sites allowed to make requests, one per field. For example: https://elastic.snaplogic.com |
| Access Control Request Methods | Allowed request methods. Supported methods are POST,
PUT, GET, DELETE,
OPTIONS, PATCH. Default value: All methods selected. Example:
|
| Access Control Request Headers | Required. The list of allowed request headers, in addition to the
CORS safe headers. Example: X-Custom-Header |
| Access Control Max Age | The time period for which the browser needs to cache the endpoint for pre-flight requests.
Default value: 300 Example: 175 |
| Access Control Allow Credentials | Allowed response headers if APIM endpoint adds new headers as part of the response.
Default value: Enabled |
| Description |
Required. A brief description of this policy. Default value: Requests are having the specified CORS headers added |