/
Cross Origin Resource Sharing (CORS) Restriction 

Cross Origin Resource Sharing (CORS) Restriction 

Apr 04, 2025

Use the CORS policy to set the appropriate headers for requests coming from a different domain so that the response is not blocked by the browser. Restricting access to APIs based on the client’s request origin/domain address is an extra layer of security for protecting your Snaplex nodes. The restriction also applies to the combination of allowed headers, request methods, or domains. The CORS Restriction API policy includes response headers for Access-Control-Allow-MethodsAccess-Control-Allow-Origin, and Access-Control=Expose-Headers.

CORS is a client browser-enabled security feature. The CORS policy does not restrict request processing at the API Manager endpoint if the request is coming from a different combination of either origin, method, or headers; however, the request is blocked by the client browser. 

NOTE: You cannot use request.remoteUser or request.isUserInRole() functions with the Early Request Validator policy, which is applied before authentication. Instead, use the Authorized Request Validator policy and set the Condition parameter to the Boolean returned by these functions.

Policy Execution Order

This policy is executed before all policies in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the API endpoint.

Error rendering macro 'multiexcerpt-include-macro' : Page loading failed

Parameter Name

Description

Default Value

Example

Parameter Name

Description

Default Value

Example

Label

Required. The name for the API policy.

CORS Restriction

CORS_DevAPI_Project

When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute. 

True

request.method == “POST”

Access Control Request Methods

Allowed request methods. Supported methods are POST, PUT, GET, DELETE, OPTIONS, PATCH.

All methods selected.

GET, POST

Access Control Request Headers

Required. List of allowed request headers apart from CORS safe headers.

N/A

X-Custom-Header

Access Control Max Age

Time period for which browser needs to cache the API endpoint for pre-flight requests.

 

300

175

Access Control Allow Credentials

Allowed response headers if APIM end points adds new headers as part of response.

Enabled

Disabled

 

Have feedback? Email documentation@snaplogic.com | Ask a question in the SnapLogic Community
© 2017-2026 SnapLogic, Inc.