Troubleshooting
Problem
When default CORS support is enabled in an API published in the DataPower® API Gateway, as described in the documentation: https://www.ibm.com/docs/en/api-connect/10.0.8_lts?topic=api-enabling-cors-support, implementing custom server-side header allow-listing at the APIC or backend level will not work. This means that if in an API invocation response from the backend or in an API assembly, the CORS response header Access-Control-Expose-Headers is populated with one or more values, representing backend custom headers to be allow-listed, then the allow-listing will not work. The browser receiving the API response will not allow the client application to manage those custom headers.
Symptom
In a CORS context, a client application is expecting to receive one or more server-side generated custom headers from an incoming API invocation, but the browser blocks access to those headers because such headers are not present in the values of the response header Access-Control-Expose-Headers.
Document Location
Worldwide
[{"Type":"MASTER","Line of Business":{"code":"LOB77","label":"Automation Platform"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSMNED","label":"IBM API Connect"},"ARM Category":[{"code":"a8mKe000000CaZGIA0","label":"API Connect"}],"ARM Case Number":"TS018243676","Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"10.0.5;10.0.8"}]
Log InLog in to view more of this document
This document has the abstract of a technical article that is available to authorized users once you have logged on. Please use Log in button above to access the full document. After log in, if you do not have the right authorization for this document, there will be instructions on what to do next.
Was this topic helpful?
Document Information
More support for:
IBM API Connect
Component:
API Connect
Software version:
10.0.5, 10.0.8
Document number:
7235043
Modified date:
03 June 2025
UID
ibm17235043
Manage My Notification Subscriptions