Cross Origin Resource Sharing (CORS) Restriction rule
Sets the appropriate CORS headers for browser-based requests so that the browser doesn't block the response.
Sets the appropriate headers for browser-based requests so that the browser doesn't block the response. This rule doesn't apply to non-browser based applications. You must apply a policy with a CORS Restriction rule to enable the Try it out feature in the APIM 3.0 Developer Portal.
Browsers have a
same-origin policy that doesn't permit requests to any domain except the one serving the web page. For
such requests, browsers make a pre-flight request to the target server. The response can contain
headers that indicate which origins are allowed to access the resource. For example, if a web page on
example.com wants to access data from an API hosted on
api.example.org, the server hosting the API configures CORS to allow requests from
example.com.
The CORS Restriction rule includes
response headers for Access-Control-Allow-Methods,
Access-Control-Allow-Origin, and Access-Control-Expose-Headers.
Rule execution order
This rule executes before all rules in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the endpoint.
How OPTIONS requests are handled
If no CORS Restriction rule is applied to an
endpoint, the server returns 405 Method Not Allowed for
OPTIONS requests and the Service doesn't execute.
When a CORS Restriction rule is applied, the Access Control Allow Origins list determines the behavior:
- With a value specified, an
OPTIONSpre-flight request returns200 OKwith the CORS headers immediately. The Service doesn't execute. - With an empty list, the CORS check is skipped entirely and the request continues to the Service.
| Field/Field set | Description |
|---|---|
| When this rule should be applied | An expression that defines one or more conditions that must be
true for the rule to execute.
Default value: N/A Example: The expression |
| Access Control Allow Origins | Add the base URLs for sites allowed to make requests, one per field. For example: https://elastic.snaplogic.com |
| Access Control Request Methods | Allowed request methods. Supported methods are POST,
PUT, GET, DELETE,
OPTIONS, PATCH. Default value: All methods selected. Example:
|
| Access Control Request Headers | Required. The list of allowed request headers, in addition to the
CORS safe headers. Example: X-Custom-Header |
| Access Control Max Age | The time period for which the browser needs to cache the endpoint for pre-flight requests.
Default value: 300 Example: 175 |
| Access Control Allow Credentials | Allowed response headers if APIM endpoint adds new headers as part of the response.
Default value: Enabled |
| Description |
Required. A brief description of this rule. Default value: Requests are having the specified CORS headers added |