Configure CORS

Cross-origin resource sharing (CORS) settings allow user agents to request resources from external domains. You can specify origin hostnames, methods, and headers that you want to accept via HTTP response headers.

Try the API: You can also complete this task by using the API Endpoints API. Run the Update CORS settings operation. Learn more about Akamai’s APIs.

How to

  1. On the API Definitions page, in the Registered APIs section, click the ellipsis icon () associated with the API configuration you want to configure CORS settings for.
  2. From the menu, select Manage versions.
  3. In the Version history panel, click the ellipsis icon () associated with the API configuration version you want to configure CORS settings for.
  4. From the list of delivery options, select Cross origin resource sharing (CORS).
  5. On the CORS settings page, set the Enable CORS switch to Yes.
  6. Optional: To accept credentialed HTTP requests, set the Allow credentials switch to Yes.
    Credentials may be cookies or TLS client certificates.
  7. If you allowed credentials, in the Preflight max age field, enter the maximum time (in seconds) for caching responses to preflight requests.
    Note: The value must be between 1 and 1000000. The Preflight max age value corresponds to the Access-Control-Max-Age response header value.
  8. In the Allowed origins text box, enter the hostnames that you want to allow via the Access-Control-Allow-Origin response header.
    Note:

    The hostnames that you enter must start with http or https. For detailed hostname syntax requirements, refer to RFC-952 and RFC-1123 specifications.

    If you did not allow credentials, you can enter the wildcard (*) sign to accept all hostnames.

  9. In the Allowed methods box, select the HTTP methods that you want to allow via the Access-Control-Allow-Methods response header.
  10. In the Allowed headers text box, enter the names of HTTP headers that you want to allow via the Access-Control-Allow-Headers response header.
  11. In the Expose headers text box, enter the names of headers that you want to expose via the Access-Control-Expose-Headers response header.
    By default, clients can access the following simple response headers:
    • Cache-Control
    • Content-Language
    • Content-Type
    • Expires
    • Last-Modified
    • Pragma

    If you want to make other headers accessible to clients, list these headers in the Expose headers box.

  12. Click Save.