Allowed origins refer to the specific domains or origins that are permitted to access resources on a server. When an API makes a cross-origin request, the server checks if the origin of the request is on the allowed list. If the origin is allowed, the servers respond with the data, otherwise the request is blocked.

Origin refers to the combination of the protocol, domain, and port. For example,

https://example.com:8080

and

http://example.com:8080

are considered different origins.

If no CORS policy is configured,

API Center

automatically allows cross-origin requests.

Default is

Access-Control-Allow-Origin: *

which means access from any origin is allowed by default of no CORS policy is configured.

The

Allowed Control Max Age

header tells the browser how long it can cache the result of its preflight request. During this period, the browser doesn't send another preflight request for the same resource and can directly make the actual request.

Maximum allowed control age is 86400 seconds.

Select the methods to enable CORS support. Allowed methods contain method elements that specify the supported HTTP verbs. The allowed method ensures that only certain types of requests can be made cross-origin, reducing the risk of unauthorized actions.

You can select one or all methods from the list of available methods. Available methods are GET, PATCH, POST, DELETE, and PUT.

Default is

Access-Control-Allow-Methods: *

. If no CORS policy is configured, the value * indicates all methods.

Enter a comma-separated list of headers that the client must submit in the actual request of the resource. These are the list of headers allowed to be included in cross-origin requests. Allowed headers are not case sensitive.

List of acceptable headers to be exposed to the client scripts on a web browser, except for the CORS-safelists response headers.Exposed headers are not case sensitive.