Use the CORS policy to set the appropriate headers for requests coming from a different domain so that the response is not blocked by browser. Restricting access to APIs based on the client’s request origin/domain address is an extra layer of security for protecting your Snaplex nodes. Restriction also applies to the combination of allowed headers, request methods, or domains.
| Note |
|---|
CORS is a client browser enabled security feature. The CORS policy does not restrict request processing at the API Manager endpoint if the request is coming from a different combination of either origin, method, or headers; however, the request is blocked by the client browser. |
Policy Execution Order
This policy is executed before all policies in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the API endpoint.
| Multiexcerpt include macro | ||||
|---|---|---|---|---|
|
| Parameter Name | Description | Default Value | Example |
|---|---|---|---|
| Label | Required. The name for the API policy. | CORS Restriction | CORS_DevAPI_Project |
| When this policy should be applied | An expression enabled field that determines the condition to be fulfilled for the API policy to execute. | True | request.method == “POST” |
| Access Control Request Methods | Allowed request methods. Supported methods are POST, PUT, GET, DELETE, OPTIONS, PATCH. | All methods selected. | GET, POST |
| Access Control Request Headers | Required. List of allowed request headers apart from CORS safe headers. | N/A | X-Custom-Header |
| Access Control Max Age | Time period for which browser needs to cache the API endpoint for pre-flight requests. | 300 | 175 |
| Access Control Allow Credentials | Allowed response headers if APIM end points adds new headers as part of response. | Enabled | Disabled |
See Also
- Managing APIs in SnapLogic API Management
- Managing your API Developer Portal
- API Policy Manager
- API Dashboard WallInsights