Define a CORS rule

You can define a CORS rule to control which domains can access specific REST API endpoints.

Before you begin

Role required: web_service_admin


  1. Navigate to System Web Services > CORS Rules.
  2. Click New.
  3. Populate the form.
    Table 1. Fields
    Field Description
    REST API Select the REST API this CORS rule applies to, such as the Table API.
    Domain Enter the domain that this CORS rule applies to. This CORS rule is evaluated against requests from the specified domain.

    You can specify a domain pattern or an IP address. When using a domain pattern you can specify a single wildcard to match incoming origin headers.

    HTTP Methods Select the HTTP methods allowed. Only the selected methods can be called from the specified domain.
    HTTP Headers Enter a comma-separated list of HTTP headers to send in the response. Specified headers are added to the Access-Control-Expose-Headers header.
    Max age Enter the number of seconds to cache the client session. After an initial CORS request, further requests from the same client within the specified time do not require a preflight message.

    If you do not specify a value, the default value of 0 indicates that all requests require a preflight message.

  4. Click Submit.