Define a CORS rule
- UpdatedJan 30, 2025
- 2 minutes to read
- Yokohama
- API implementation
You can define a CORS rule to control which domains can access REST API endpoints and other web resources.
Before you begin
Role required: cors_rule_admin, web_service_admin, or admin
Procedure
- Navigate to All > System Web Services > REST > CORS Rules.
- Select New.
-
On the form, fill in the fields.
Table 1. CORS Rule form Field Description Name Enter a unique name for the rule. Use Resource Path Select this option to specify a path to a web resource. For REST APIs, leave this option cleared. REST API Select the REST API for the domain to access, such as the Table API. Web Resource Path If you selected Use Resource Path, enter a path to the web resource for the domain to access. Domain Enter the domain to access the specified REST API or web resource. This CORS rule is evaluated against requests from the specified domain. You can specify a domain pattern or an IP address. When using a domain pattern, you can use the wildcard character (*) to match incoming origin headers.
Max age Enter the number of seconds to cache the client session. After an initial CORS request, further requests from the same client within the specified time don’t require a preflight message. If you don’t specify a value, the default value of 0 indicates that all requests require a preflight message.
For Embeddables Reserved for future use. Active Select this option turn on the CORS rule. -
Select the HTTP Methods tab and the HTTP methods allowed.
Only the selected methods can be called from the specified domain.
-
Select the HTTP Headers tab and fill in the fields.
Table 2. HTTP Headers section Field Description Access-Control-Allow-Credentials Option to allow sending credentials in the request. If this option is enabled, you can't use a wildcard in the Domain field. Access-Control-Allow-Headers Enter a comma-separated list of HTTP headers to allow in the request or the wildcard character (*) to allow any header. Access-Control-Expose-Headers Enter a comma-separated list of HTTP headers to send in the response. - Select Submit.