CORS

The Cross-Origin Resource Sharing (CORS) mechanism supports secure cross-domain requests and data transfers between browsers and web servers. The CORS standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information.This policy provides CORS support that uses additional HTTP headers to let a client or an application gain permission to access selected resources. An application or a client makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port than the one from which the current request originated.

In API Studio, this policy is identified by the kind CORS.

Here is a sample code for the CORS policy.

kind: CORS
apiVersion: api.webmethods.io/beta
metadata:
  name: Enforce CORS policy
  version: 1
spec:
  allowedOrigins:
    - www.domain.com
    - www.test.com
  allowedHeaders:
    - header1
    - header2
  exposedHeaders:
    - header3
    - header4
  allowCredentials: true
  allowedMethods:
    - GET
    - POST
    - PUT
    - DELETE
  maxAge: 34

The structure in the code view and what it denotes is as follows.

Type Description
kind CORS.

This denotes the asset type, CORS policy.

apiVersion This denotes the API version of the API on which this policy is enforced.
metadata This denotes the metadata or details of the asset type.
It covers the following metadata:
  • name. Name of the policy.
  • version. Version of the policy.
spec This denotes various policy properties you can configure for the policy.
You can configure the following policy property:
  • allowedOrigins. Specifies the origin from which the responses originating are allowed. Syntax for the origin: www.domain.com. You can add multiple origins.
  • allowedHeaders. Specifies the Headers that are allowed in the request. You can add multiple headers that are to be allowed.
  • exposedHeaders. Specifies the headers that be exposed to the user on request failure. You can add multiple headers that are to be allowed to be exposed.
  • alloweCredentials. Specifies whether API Studio includes the Access-Control-Allow-Credentials header. The default value set is true.
  • allowedMethods. Specifies the methods that are allowed in the request. Specify one or more of the following: GET, POST, PUT, and DELETE
  • maxAge. Specifies the age for which the preflight response is valid.