Skip to content

Enable CORS for APIs via REST API

Cross-Origin Resource Sharing (CORS) is a mechanism that allows accessing restricted resources (i.e., fonts, images, scripts, videos, and iframes) from domains outside the domain from which the requesting resource originated. Browsers define the origin as a combination of Scheme (http://, https://), Host, and Port. By default, web browsers apply the same-origin policy to avoid interactions between different origins. CORS defines a way in which a browser and a server can interact to determine whether or not it is safe to allow the cross-origin requests. This document illustrate how to enable CORS for APIs via REST API.

CORS configuration

Field Description Possible Values
corsConfigurationEnabled
Determines whether CORS support is enabled or disabled. true (enabled), false (disabled)
accessControlAllowCredentials
Indicates whether the browser should include credentials (e.g., cookies, HTTP authentication). true (enabled), false (disabled)
accessControlAllowOrigins
Defines the allowed origins (domains) from which cross-origin requests can be made. A list of strings representing origins. "*" to allow any origin, or specify individual origins.
accessControlAllowHeaders
Lists the allowed HTTP headers that can be used during the actual request. A list of strings representing header names.
accessControlAllowMethods
Specifies the allowed HTTP methods for cross-origin requests. A list of strings representing HTTP method names.
accessControlExposeHeaders
Lists the response headers that the browser can expose to the requesting client. A list of strings representing header names. "*" to expose all headers, or specify individual headers.
accessControlAllowMaxAge
Indicates how long the results of a preflight request (OPTIONS) can be cached. A positive integer representing the cache duration in seconds.

Retrieve existing API configuration.

Here, you can save the following content into a file named EmployeeServiceCORS.apk-conf to use for the rest of this guide.

name: "EmployeeServiceAPI"
basePath: "/test"
version: "3.14"
type: "REST"
defaultVersion: false
endpointConfigurations:
  production:
    endpoint: "http://employee-service:8080"
operations:
  - target: "/employees"
    verb: "GET"
    secured: true
    scopes: []
  - target: "/employee"
    verb: "POST"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "PUT"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "DELETE"
    secured: true
    scopes: []

Update the API configuration with the CORS configurations

Add the necessary CORS configurations to the apk-conf file. A possible example is shown below.

corsConfiguration:
  corsConfigurationEnabled: true
  accessControlAllowCredentials: true
  accessControlAllowOrigins:
    - "*"
  accessControlAllowHeaders:
    - authorization
  accessControlAllowMethods:
    - GET
  accessControlExposeHeaders:
    - "*"

Sample APK configuration content after the modification is shown below.

name: "EmployeeServiceAPI"
basePath: "/test"
version: "4.0"
type: "REST"
defaultVersion: true
endpointConfigurations:
  production:
    endpoint: "http://employee-service:8080"
operations:
  - target: "/employee"
    verb: "GET"
    secured: true
    scopes: []
  - target: "/employee"
    verb: "POST"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "PUT"
    secured: true
    scopes: []
  - target: "/employee/{employeeId}"
    verb: "DELETE"
    secured: true
    scopes: []
corsConfiguration:
  corsConfigurationEnabled: true
  accessControlAllowCredentials: true
  accessControlAllowOrigins:
    - "*"
  accessControlAllowHeaders:
    - authorization
  accessControlAllowMethods:
    - GET
  accessControlExposeHeaders:
    - "*"

You have the flexibility to make any related changes to the API configuration. You can deploy the sample APK configuration first and then apply the CORS (Cross-Origin Resource Sharing) configuration to your API.