You can configure cross-origin resource sharing (CORS) on the Settings -> Server tab. CORS allows browser-based clients to connect to the API Server. Without CORS, browser-based scripts would not be able to connect to the API Server API because of the same-origin policy enforced by the browser. This policy restricts client-side scripts and documents from loading resources outside their origin. The origin of a script consists of the protocol, host, and port.

When the option to enable CORS is selected, you can use the following options to configure CORS:

• Allow all domains without ‘*‘: When this option is set, the API Server will allow any origin passed by the client by returning that origin in the Access-Control-Allow-Origin header.

• Access-Control-Allow-Origin: Enter the origins for which the API Server will participate in CORS. The API Server will return these origins in the Access-Control-Allow-Origin header. When this is set to ‘*’, the API Server will allow any origin and pass ‘*’ in the Access-Control-Allow-Origin header. This is suitable for public APIs.

• Access-Control-Allow-Methods: Enter a comma-separated list of allowed methods.
• Access-Control-Allow-Headers: Enter a comma-separated list of headers that can be used in requests made by the script.
• Access-Control-Allow-Credentials: Set this to true if you want to require that clients provide credentials.
• Access-Control-Max-Age: Enter the number of seconds the user agent can cache preflight requests.