Cross-origin resource sharing (CORS) settings allow user agents to request resources from external domains. You can specify origin hostnames, methods, and headers that you want to accept via HTTP response headers.
- On the API Definitions page, in the Registered APIs section, click the ellipsis icon () associated with the API configuration you want to configure CORS settings for.
- From the menu, select Manage versions.
- In the Version history panel, click the ellipsis icon () associated with the API configuration version you want to configure CORS settings for.
- From the list of delivery options, select Cross origin resource sharing (CORS).
- On the CORS settings page, set the Enable CORS switch to Yes.
To accept credentialed HTTP requests,
set the Allow
credentials switch to Yes.
Credentials may be cookies or TLS client certificates.
If you allowed credentials, in the
Preflight max age
field, enter the maximum time (in seconds) for caching responses to preflight
Note: The value must be between 1 and 1000000. The Preflight max age value corresponds to the
Access-Control-Max-Ageresponse header value.
In the Allowed origins text box,
enter the hostnames that you want to allow via the
The hostnames that you enter must start with
https. For detailed hostname syntax requirements, refer to RFC-952 and RFC-1123 specifications.
If you did not allow credentials, you can enter the wildcard (*) sign to accept all hostnames.
In the Allowed methods box, select
the HTTP methods that you want to allow via the
In the Allowed headers text box,
enter the names of HTTP headers that you want to allow via the
In the Expose headers text box,
enter the names of headers that you want to expose via the
Access-Control-Expose-Headersresponse header.By default, clients can access the following simple response headers:
If you want to make other headers accessible to clients, list these headers in the Expose headers box.
- Click Save.