API Gateway 10.3 | Using API Gateway | Policies | System-defined Stages and Policies | Response Processing | CORS
 
CORS
The Cross-Origin Resource Sharing (CORS) mechanism supports secure cross-domain requests and data transfers between browsers and web servers. The CORS standard works by adding new HTTP headers that allow servers to describe the set of origins that are permitted to read that information.
This policy uses CORS support that uses additional HTTP headers to let a client or an application gain permission to access selected resources. An application or a client makes a cross-origin HTTP request when it requests a resource from a different domain, protocol, or port than the one from which the current request originated.
This policy is applicable only for REST-based APIs.
The table lists the CORS response specifications, you can specify for this policy:
Parameter
Description
Allowed Origins
Specifies the origin from which the responses originating are allowed.
syntax for the origin: scheme://host:port
You can add multiple origins by clicking .
You can also provide Regular expressions for allowed origins.
Allowed origins can also be specified in the Advanced section under Applications. Allowed origins of applications registered with this API are also allowed to access this API.
Max Age
Specifies the age for which the preflight response is valid.
Allowed Methods
Specifies the methods that are allowed in the request.
Specify one or more of the following: GET, POST, PUT, DELETE, and PATCH.
Allow Headers
Specifies the Headers that are allowed in the request.
You can add multiple headers that are to be allowed by clicking .
Allow Credentials
Specifies whether the request credentials could be exposed to the user on request failure.
Expose Headers
Specifies the headers that be exposed to the user on request failure.
You can add multiple headers that are to be allowed by clicking .
A corresponding HTTP header is set for all the values above as per the specification. For additional information, see https://www.w3.org/TR/cors/.