Cross-Origin Resource Sharing (CORS) Policies
A CORS policy specifies the settings that can be applied to resources allow a web application running at one origin (domain) permission to access resources from a server at a different origin. Each IBM Security Verify Access API Access Control resource can be configured with a CORS policy where each policy defines:
- Whether or not the reverse proxy should perform the pre-flight check.
- The origins permitted to make requests to this resource.
- Whether or not to set the Access-Control-Allow-Credentials header.
- The headers that are added to a pre-flight check response.
- The methods allowed in requests to this resource.
- The maximum time a client should cache the pre-flight check response.
- The headers that a client should expose.
Attaching a CORS policy to an API Access Control resource results in a new stanza being added to the reverse proxy configuration file. This new stanza is marked with a comment stating the contents are machine generated and should not be modified manually. This is to ensure the API Access Control management component is not effected by any manual changes. Any changes that are made by an administrator are overwritten by CORS policy updates.
Example of the new stanza:
# THIS STANZA IS AUTO GENERATED. PLEASE DO NOT UPDATE AS IT MAY CAUSE PROBLEMS WITH THE API ACCESS CONTROL COMPONENT
[cors-policy:apiac_policyA]
handle-pre-flight = false
max-age = 0
allow-credentials = false
allow-origin = http://test.com
request-match = GET /application/endpointA HTTP/*
See:
- Create a CORS policy.
- Add a CORS policy to an API Access Control resource
- Modify a CORS policy in an Existing Resource
- [cors-policu:<policy-name>]
- Cross-Origin Resource Sharing (CORS) support
Parent topic: Overview of the API Access Control