Creating a cross-origin resource sharing policy
By creating a cross-origin resource sharing (CORS) policy and subsequently mapping it to an application endpoint (path or URL) for an API or service, you control whether and how other systems or websites (origins) are permitted to access that resource.
- In the Dev Studio header, click .
- In the Short description field on the Cross Origin Resource Sharing form, enter a description of the CORS policy.
- In the Policy name field, enter a name for the CORS policy. You might name the policy for an endpoint or for the API or REST service that you intend to protect.
- Click Create and open.
- On the Policy Definition tab of the Cross Origin Resource Sharing form, select the Allow credentials check box to indicate that credentials are permitted in requests to the endpoint.
- For the Allowed origins option, enter a comma-separated list of
domains (origins) that are allowed to make a request against the API or REST
service.At run time, the system evaluates all origins that you specify for this setting until a match is found for the origin header of the request. Wildcard characters are supported, as in the examples shown below.
- In the Maximum age field, enter a number to specify how long, in
seconds, the results of a preflight request can be cached.This is the time period between two consecutive preflight requests, within which you do not want the web browser to send a new preflight request. A longer period reduces the frequency of browser preflight OPTIONS method call requests.
- In the Allowed methods section, select one or more check boxes to specify which request methods are allowed: GET, POST, PUT, or DELETE.
- In the Allowed headers section, enter a comma-separated list of
the request header values that the origin domain is allowed to use for a CORS
request.The authorization and content-type headers are required for Pega Platform applications.
The default value is: authorization, content-type
- In the Exposed headers section, enter a comma-separated list of response headers that clients of this API or service can access.
- Click Save.
Previous topic Defining cross-origin resource sharing policies Next topic Mapping an endpoint to a cross-origin resource sharing policy