Enabling CORS support for an API

You can enable cross-origin resource sharing (CORS) support for your API. CORS allows embedded scripts in a web page to call the API across domain boundaries.

About this task

The API Connect implementation of CORS returns a Access-Control-Allow-Origin value that matches the requested Origin. This allows a broad range of origins. If you need tighter security you can disable CORS on the gateway and implement CORS as needed, using either a GatewayScript or XSLT policy in the assembly, custom policy, DataPower® extension, or on the backend.

Note: The API Manager UI also includes the ability to apply security definitions. However, the preferred method for these tasks is by using the API Designer UI, as described here. Any steps that are specific to a particular UI are marked with an icon.

Procedure

To enable CORS support for an API, complete the following steps:

Click APIs.
The APIs tab opens.
If you have not previously pinned the UI navigation pane then click the Navigate to icon .
The API Manager UI navigation pane opens. To pin the UI navigation pane, click the Pin menu icon .
Click Drafts in the UI navigation pane, and then click APIs.
The APIs tab opens.
To enable CORS support for an existing API, click the API that you want to work with. To create a new API before applying the scheme to it, see Creating API definitions.
Navigate to the Lifecycle section.
Ensure that the CORS slider is in the On position.
Click the Save icon to save your changes.
Optional: To implement your own CORS solution using custom OPTIONS operations, complete the following steps:
1. Add the following headers to your HTTP responses:
```
Access-Control-Allow-Origin: https://<portalhostname>
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept 
```
  Where <portalhostname> is your Developer Portal host name.
2. Optional: You can proxy your API through API Connect as an enforced invoke API so that CORS is handled automatically.