Skip to content

Enable CORS for APIs via REST API

Cross-Origin Resource Sharing (CORS) is a mechanism that allows accessing restricted resources (i.e., fonts, images, scripts, videos, and iframes) from domains outside the domain from which the requesting resource originated. Browsers define the origin as a combination of Scheme (http://, https://), Host, and Port. By default, web browsers apply the same-origin policy to avoid interactions between different origins. CORS defines a way in which a browser and a server can interact to determine whether or not it is safe to allow the cross-origin requests. This document illustrate how to enable CORS for APIs via REST API.

Before you begin

CORS configuration

Field Description Possible Values
corsConfigurationEnabled
Determines whether CORS support is enabled or disabled. true (enabled), false (disabled)
accessControlAllowCredentials
Indicates whether the browser should include credentials (e.g., cookies, HTTP authentication). true (enabled), false (disabled)
accessControlAllowOrigins
Defines the allowed origins (domains) from which cross-origin requests can be made. A list of strings representing origins. "*" to allow any origin, or specify individual origins.
accessControlAllowHeaders
Lists the allowed HTTP headers that can be used during the actual request. A list of strings representing header names.
accessControlAllowMethods
Specifies the allowed HTTP methods for cross-origin requests. A list of strings representing HTTP method names.
accessControlExposeHeaders
Lists the response headers that the browser can expose to the requesting client. A list of strings representing header names. "*" to expose all headers, or specify individual headers.
accessControlAllowMaxAge
Indicates how long the results of a preflight request (OPTIONS) can be cached. A positive integer representing the cache duration in seconds.

Create an API with CORS configurations

Follow the instructions below to add CORS configurations to an API using the REST API Interface:

Before you begin

Retrieve existing API configuration.

Here, you can use the apk-conf file which is created in Create an API documentation and save this content into a file named EmployeeServiceCORS.apk-conf.

Sample content before the modification is shown below.

name: "EmployeeServiceAPI"
basePath: "/test"
version: "3.14"
type: "REST"
defaultVersion: false
endpointConfigurations:
  production:
    endpoint: "http://employee-service:80"
operations:
  - target: "/employee"
    verb: "GET"
    secured: true
    scopes: []
  - target: "/employee"
    verb: "POST"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "PUT"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "DELETE"
    secured: true
    scopes: []

Update the API configuration with the CORS configurations

Add the necessary CORS configurations to the apk-conf file. A possible example is shown below.

corsConfiguration:
  corsConfigurationEnabled: true
  accessControlAllowCredentials: true
  accessControlAllowOrigins:
    - "*"
  accessControlAllowHeaders:
    - authorization
  accessControlAllowMethods:
    - GET
  accessControlExposeHeaders:
    - "*"

Sample APK configuration content after the modification is shown below.

name: "EmployeeServiceAPI"
basePath: "/test"
version: "4.0"
type: "REST"
defaultVersion: true
endpointConfigurations:
  production:
    endpoint: "https://run.mocky.io/v3/1327c339-354b-4080-8296-f6268365e67b"
operations:
  - target: "/employee"
    verb: "GET"
    secured: true
    scopes: []
  - target: "/employee"
    verb: "POST"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "PUT"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "DELETE"
    secured: true
    scopes: []
corsConfiguration:
  corsConfigurationEnabled: true
  accessControlAllowCredentials: true
  accessControlAllowOrigins:
    - "*"
  accessControlAllowHeaders:
    - authorization
  accessControlAllowMethods:
    - GET
  accessControlExposeHeaders:
    - "*"

You have the flexibility to make any related changes to the API configuration. You can deploy the sample APK configuration first and then apply the CORS (Cross-Origin Resource Sharing) configuration to your API.