The Default CORS Policy rule

This rule includes multiple instances of the Modify Outgoing Response Header behavior, predefined with recommended values. (They are applied as "recommended behaviors.")

Each individual header is populated with recommended values as follows:



  • Access-Control-Allow-Origin: This is populated with the value “*” to indicate "all."
  • Access-Control-Allow-Methods: This is populated with the following request methods, GET, POST and OPTIONS.
  • Access-Control-Allow-Headers: This is populated with the values, “origin”, “range”, “hdntl”, and “hdnts.”
  • Access-Control-Expose-Headers: This is populated with the values, “Server”, “range”, “hdntl”, and “hdnts.”
  • Access-Control-Allow-Headers: This is set to “true.”.
  • Access-Control-Max-Age: This is set to “86400” seconds (or 24 hours).

This rule and its Behaviors are not mandatory, and can be removed (via the “X” icon in the Rule itself, or in each Behavior), but it is recommended that they be left as is.