Calling an API by using CORS

CORS (cross origin resource sharing) is a technique that allows calls to be made from code that is running in a browser to a third-party server (such as APIs running on an API Connect Gateway). These calls are, by default, not allowed as per the same origin security policy that is applied to the browser sandbox. Without CORS support, web developers are required to use more complex techniques such as server-side proxies.

About this task

API Connect Gateway servers support CORS to make it as easy as possible for web developers to use APIs within their web applications. Calling an API from a CORS-enabled browser is as simple as setting the Origin header on the API request to the value of the origin server of your application.
CORS is supported in the following browsers:
  • Chrome 3+
  • Firefox 3.5+
  • Internet Explorer V11, or later
  • Opera 12+
  • Safari 4+

Procedure

  1. In your application, set the headers according to the following sample request. 
    OPTIONS /org/env/api/resourceHTTP/1.1
User-Agent: useragent details
X-IBM-Client-Id=1234
Host: x.xx.xxx.xx
Origin: http://example/example/testui.html
Accept: */*
  2. Your browser handles the preflight check.

Results

The following sample response is received:
HTTP/1.1 200 OK
X-Backside-Transport: FAIL FAIL 
Connection: Keep-Alive
Transfer-Encoding: chunked
Access-Control-Allow-Origin: http://example/example/testui.html
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers:accept, accept-language, content-type, x-ibm-client-id
Access-Control-Allow-Method: <methods allowed on the resource>
Vary: Origin