Add the domains from which your API clients can call the Verify APIs.
The specified domains are defined as acceptable values for the
Access-Control-Allow-Origin
HTTP header that is included in the Verify
response to a cross-origin request.
Before you begin
- You must have administrative permission to complete this
task.
- Log in to the IBM® Security Verify
administration console as an Administrator.
About this task
Websites are commonly restricted to accessing resources from the same origin or
domain because of a same-origin policy. It is a security mitigation for risks that are
associated with cross-domain scripting. Verify supports
Cross-Origin Resource Sharing (CORS), a security mechanism that uses HTTP headers to
allow a web page from one domain to access a resource from another domain.
When Verify receives a cross-origin request, it validates the domain value in the
Origin
HTTP header to determine whether to allow access to its API endpoints. If
the specified domain is in the list of allowed domains, Verify sets
the Access-Control-Allow-Origin
HTTP header to match the value in the request
header Origin
.
Procedure
-
Select
-
Add a domain.
-
Select Add domain.
The Add domain dialog box is displayed.
-
Specify how the APIs store the domain.
Table 1. Domain
Information |
Descriptions |
Domain |
The internet domain from which your API client intends to call the Verify APIs.
It can be:
- A fully qualified domain name.
https://www.company.com .
- A domain name with a wildcard.
https://*.company.com .
- A regular expression.
Regex: http[s]?:\/\/[^.]*\.company\.com
|
Regular Expression |
Indicates whether Verify
can interpret the specified Domain value as a set of characters that defines
a search pattern.
A regular expression can contain simple characters to search for a direct match or special
characters for a broader search result. For example:
http[s]?:\/\/company.com\/apiclient\/v[1-3]
As a regular expression, all domains that match the pattern are allowed to access the Verify APIs.
If disabled, the Domain value is interpreted literally as specified.
|
-
Select Save.
-
Edit the domain.
-
Hover over the domain and select the
icon when it appears.
The Edit Domain dialog box is displayed.
-
Edit the information.
-
Select Save.
-
Delete the domain.
You can delete one or multiple domains. When you delete a domain, it is removed as a value from
the Access-Control-Allow-Origin
HTTP header. If an API client from the deleted
domain attempts to call a Verify API endpoint, the call
request is denied.
-
Choose from one of the following options in the Allowed domains
page:
- Hover over a domain and select the
icon when it appears.
- Select the check box for one or more domains and select Delete from the
header.
-
Confirm that you want to permanently delete the selected domain or domains.