CORS
Version 23.0.9145
Version 23.0.9145
CORS
You can configure cross-origin resource sharing (CORS) on the Settings > Server tab. CORS allows browser-based clients to connect to API Server. Without CORS, browser-based scripts cannot connect to the API Server API because of the same-origin policy enforced by the browser. This policy restricts client-side scripts and documents from loading resources outside their origin. The origin of a script consists of the protocol, host, and port.
Once Enable cross-origin resource sharing (CORS) is checked, use the following options to configure CORS:
- Allow all domains without ‘*‘: When this is checked, API Server allows any origin passed by the client by returning that origin in the Access-Control-Allow-Origin header.
- Access-Control-Allow-Origin: Enter the origins for which API Server will participate in CORS. API Server returns these origins in the Access-Control-Allow-Origin header. When this is set to ‘*’, API Server allows any origin and passes ‘*’ in the Access-Control-Allow-Origin header. This is suitable for public APIs.
- Access-Control-Allow-Credentials: Set this to True to require that clients provide credentials.
- Access-Control-Allow-Methods: Enter a comma-separated list of allowed methods.
- Access-Control-Allow-Headers: Enter a comma-separated list of headers that can be used in requests made by the script.
- Access-Control-Max-Age: Enter how long (in seconds) the user agent can cache preflight requests. The default is 3600.