Managing domains

Add the domains from which your API clients can call the Verify APIs. The specified domains are defined as acceptable values for the Access-Control-Allow-Origin HTTP header that is included in the Verify response to a cross-origin request.

Before you begin

  • You must have administrative permission to complete this task.
  • Log in to the IBM® Security Verify administration console as an Administrator.

About this task

Websites are commonly restricted to accessing resources from the same origin or domain because of a same-origin policy. It is a security mitigation for risks that are associated with cross-domain scripting. Verify supports Cross-Origin Resource Sharing (CORS), a security mechanism that uses HTTP headers to allow a web page from one domain to access a resource from another domain.

When Verify receives a cross-origin request, it validates the domain value in the Origin HTTP header to determine whether to allow access to its API endpoints. If the specified domain is in the list of allowed domains, Verify sets the Access-Control-Allow-Origin HTTP header to match the value in the request header Origin.

Procedure

  1. Select Security > API access > Allowed domains
  2. Add a domain.
    1. Select Add domain.
      The Add domain dialog box is displayed.
    2. Specify how the APIs store the domain.
      Table 1. Domain
      Information Descriptions
      Domain

      The internet domain from which your API client intends to call the Verify APIs.

      It can be:
      • A fully qualified domain name. https://www.company.com.
      • A domain name with a wildcard. https://*.company.com.
      • A regular expression. Regex: http[s]?:\/\/[^.]*\.company\.com
      Regular Expression

      Indicates whether Verify can interpret the specified Domain value as a set of characters that defines a search pattern.

      A regular expression can contain simple characters to search for a direct match or special characters for a broader search result. For example: http[s]?:\/\/company.com\/apiclient\/v[1-3]

      As a regular expression, all domains that match the pattern are allowed to access the Verify APIs.

      If disabled, the Domain value is interpreted literally as specified.

    3. Select Save.
  3. Edit the domain.
    1. Hover over the domain and select the Edit icon when it appears.
      The Edit Domain dialog box is displayed.
    2. Edit the information.
    3. Select Save.
  4. Delete the domain.

    You can delete one or multiple domains. When you delete a domain, it is removed as a value from the Access-Control-Allow-Origin HTTP header. If an API client from the deleted domain attempts to call a Verify API endpoint, the call request is denied.

    1. Choose from one of the following options in the Allowed domains page:
      • Hover over a domain and select the Delete icon when it appears.
      • Select the check box for one or more domains and select Delete from the header.
    2. Confirm that you want to permanently delete the selected domain or domains.