Use the CORS policy to set the appropriate headers for requests coming from a different domain so that the response is not blocked by the browser. Restricting access to APIs based on the client’s request origin/domain address is an extra layer of security for protecting your Snaplex nodes. The restriction also applies to the combination of allowed headers, request methods, or domains. The The CORS Restriction API policy includes response headers for Access-Control-Allow-Methods
, Access-Control-Allow-Orgin
, and Access-Control=Expose-Headers
.
Note |
---|
CORS is a client browser-enabled security feature. The CORS policy does not restrict request processing at the API Manager endpoint if the request is coming from a different combination of either origin, method, or headers; however, the request is blocked by the client browser. |
NOTE: You cannot use request.remoteUser
or request.isUserInRole()
functions with the Early Request Validator policy, which is applied before authentication. Instead, use the Authorized Request Validator policy and set the Condition parameter to the Boolean returned by these functions.
Policy Execution Order
This policy is executed before all policies in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the API endpoint.
Multiexcerpt include macro | ||||
---|---|---|---|---|
|
Parameter Name | Description | Default Value | Example |
---|---|---|---|
Label | Required. The name for the API policy. | CORS Restriction | CORS_DevAPI_Project |
When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. | True | request.method == “POST” |
Access Control Request Methods | Allowed request methods. Supported methods are POST, PUT, GET, DELETE, OPTIONS, PATCH. | All methods selected. | GET, POST |
Access Control Request Headers | Required. List of allowed request headers apart from CORS safe headers. | N/A | X-Custom-Header |
Access Control Max Age | Time period for which browser needs to cache the API endpoint for pre-flight requests. | 300 | 175 |
Access Control Allow Credentials | Allowed response headers if APIM end points adds new headers as part of response. | Enabled | Disabled |