Cross Origin Resource Sharing (CORS) Restriction rule
Sets the appropriate headers for browser-based requests so that the browser doesn't block the response. This rule doesn't apply to non-browser based applications. You must apply a policy with a CORS Restriction rule to enable the Try it out feature in DeveloperHub.
Browsers have a
same-origin policy that doesn't permit requests to any domain except the one serving the web page. For
such requests, browsers make a pre-flight request to the target server. The response can contain
headers that indicate which origins are allowed to access the resource. For example, if a web page on
example.com wants to access data from an API hosted on
api.example.org, the server hosting the API configures CORS to allow requests from
example.com.
The CORS Restriction rule includes
response headers for Access-Control-Allow-Methods,
Access-Control-Allow-Origin, and Access-Control-Expose-Headers.
request.remoteUser or
request.isUserInRole() functions with the Early Request Validator rule,
which is applied before authentication. Instead, use the Authorized Request Validator rule
and set the Condition parameter to the Boolean returned by these functions. Rule execution order
This rule executes before all rules in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the endpoint.
| Field | Description |
|---|---|
| When this rule should be applied | An expression that defines one or more conditions that must be
true for the rule to execute.
Default value: N/A Example: The expression |
| Access Control Allow Origins | Add the base URLs for sites allowed to make requests, one per field. For example: https://elastic.snaplogic.com |
| Access Control Request Methods | Allowed request methods. Supported methods are POST,
PUT, GET, DELETE,
OPTIONS, PATCH. Default value: All methods selected. Example:
|
| Access Control Request Headers | Required. The list of allowed request headers, in addition to the
CORS safe headers. Example: X-Custom-Header |
| Access Control Max Age | The time period for which browser needs to cache the endpoint for pre-flight requests.
Default value: 300 Example: 175 |
| Access Control Allow Credentials | Allowed response headers if APIM endpoint adds new headers as part of the response.
Default value: Enabled |
| Description |
Required. A brief description of this rule. Default value: Requests are having the specified CORS headers added |