Configure for CORS

Depending on the REST API client you're using, you may or may not need to configure for Cross-Origin Resource Sharing (CORS). You only need to configure for CORS if you're using a REST API client developed in a browser-based programming language, such as JavaScript. Such REST API clients can complete requests or access REST APIs only within the context of a web page in a browser.

Why Use CORS?

Simply put, CORS is a set of rules that defines the way a server and a browser talk to each other and whether or not it's safe to do so across different domains. As a specification, CORS provides a standard way to implement cross-domain requests that can be used in all browsers.

All browsers enforce the same-origin policy. This policy permits scripts contained in one web page to access data in another, but only if both web pages originate from the same domain. As a result, REST API clients developed in browser-based programming languages that run in one domain cannot retrieve resources from another domain.

Configuring Origin Domains for CORS

Configure the list of origin domains for CORS in the configuration UI as follows:

  1. Navigate to Configuration , and then Applications , and then Additional restrictions.
  2. Select the Allow cross-origin resource sharing (CORS) from the following web domains checkbox.
  3. In the text box, add the domain names. Enter each domain name on a separate line.


    • Make sure that the domain names are not longer than 253 characters.
    • You can add upto 100 origin domain names.
    • Make sure that there are no leading or trailing white spaces in a domain name.
    • Use the single asterisk '* ' to allow all domains.
    • Do not use wildcards or special characters, they are not supported.
  4. Click Save.


    When a domain name is added or modified, it may take upto three minutes for the changes to reflect across the application.

The following table lists the supported CORS headers, and the values that OFSC returns for each header.

CORS Header Purpose Value Returned
Access-Control-Allow-Origin Provides a comma-separated list of trusted origins from which a client application can access resources. The value of the request header Origin is returned. For example, if the request header value is 'Origin:', then 'Access-Control-Allow-Origin:' is returned.
Access-Control-Max-Age Specifies how long the response to a preflight request is cached. 1728000
Access-Control-Allow-Methods Provides a comma-separated list of permitted HTTP methods in a request. OPTIONS, GET, POST, PUT, PATCH, DELETE
Access-Control-Allow-Headers Provides a comma-separated list of permitted HTTP headers in a request. DNT, Keep-Alive, User-Agent, X-Requested-With, If-Modified-Since, Cache-Control, Content-Type, Authorization
Access-Control-Allow-Credentials Specifies whether a client application can send user credentials with a request. True