Policy: Cross Origin Resource Sharing (CORS) Restriction

Use the CORS Restriction policy to set the appropriate headers for requests coming from a different domain so that the response is not blocked by the browser. Restricting access to APIs based on the client's request origin/domain address is an extra layer of security for protecting your Snaplex nodes. The restriction also applies to the combination of allowed headers, request methods, or domains. The CORS Restriction API policy includes response headers for Access-Control-Allow-Methods, Access-Control-Allow-Origin, and Access-Control-Expose-Headers.

CORS is a client browser-enabled security feature. The CORS policy does not restrict request processing at the API Manager endpoint if the request comes from a different combination of origin, method, or headers; however, the request is blocked by the client browser.

Note: You cannot use the request.remoteUser or request.isUserInRole() functions with the Early Request Validator policy, which is applied before authentication. Instead, use the Authorized Request Validator policy and set the Condition parameter to the Boolean returned by these functions.

Policy execution order

This policy is executed before all policies in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the API endpoint.


Field	Description
Label	Required. The name for the API policy. Default value: CORS Restriction Example: CORS_DevAPI_Project
When this policy should be applied	An expression enabled field that determines the condition to be fulfilled for the API policy to execute. Example: If the value of this parameter is `request.method == "POST"`, the API policy is executed only if the request method is a POST.
Access Control Request Methods	Allowed request methods. Supported methods are `POST`, `PUT`, `GET`, `DELETE`, `OPTIONS`, `PATCH`. Default value: All methods selected. Example: `GET, POST`
Access Control Request Headers	Required. The list of allowed request headers, in addition to the CORS safe headers. Example: X-Custom-Header
Access Control Max Age	The time period for which browser needs to cache the API endpoint for pre-flight requests. Default value: 300 Example: 175
Access Control Allow Credentials	Allowed response headers if APIM end points adds new headers as part of response. Default value: Enabled Example: Disabled