Cross Origin Resource Sharing (CORS) Restriction 

Use the CORS policy to set the appropriate headers for requests coming from a different domain so that the response is not blocked by the browser. Restricting access to APIs based on the client’s request origin/domain address is an extra layer of security for protecting your Snaplex nodes. The restriction also applies to the combination of allowed headers, request methods, or domains. The CORS Restriction API policy includes response headers for Access-Control-Allow-MethodsAccess-Control-Allow-Orgin, and Access-Control=Expose-Headers.

CORS is a client browser-enabled security feature. The CORS policy does not restrict request processing at the API Manager endpoint if the request is coming from a different combination of either origin, method, or headers; however, the request is blocked by the client browser. 

NOTE: You cannot use request.remoteUser or request.isUserInRole() functions with the Early Request Validator policy, which is applied before authentication. Instead, use the Authorized Request Validator policy and set the Condition parameter to the Boolean returned by these functions.

Policy Execution Order

This policy is executed before all policies in request processing. For pre-flight requests, browsers check the list of allowed headers and request methods by the API endpoint.

Expression Enabled Fields in API Policies

All expression enabled fields take expressions from the SnapLogic Expression Language and the API Policy Manager functions.

Parameter NameDescriptionDefault ValueExample
LabelRequired. The name for the API policy.CORS RestrictionCORS_DevAPI_Project
When this policy should be applied

An expression enabled field that determines the condition to be fulfilled for the API policy to execute. 

Truerequest.method == “POST”
Access Control Request Methods

Allowed request methods. Supported methods are POST, PUT, GET, DELETE, OPTIONS, PATCH.

All methods selected.GET, POST
Access Control Request HeadersRequired. List of allowed request headers apart from CORS safe headers.N/AX-Custom-Header
Access Control Max Age

Time period for which browser needs to cache the API endpoint for pre-flight requests.

Access Control Allow Credentials

Allowed response headers if APIM end points adds new headers as part of response.