Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain or port) other than its own from which a browser should load resources. CORS also relies on a mechanism by which browsers make a preflight request to the server hosting the cross-origin resource, to check if the server permits the actual request. In that preflight, the browser sends headers that indicate the HTTP method and headers to be used in the actual request.
The following headers are used:
- Access-Control-Allow-Origin: This specifies either a single origin which tells browsers to allow that origin to access the resource or else the (*) wildcard tells browsers to allow any origin to access the resource. By default, Access-Control-Allow-Origin is set as a * wildcard.
- Access-Control-Allow-Headers: This header is used in response to a preflight request which includes the Access-Control-Request-Headers to indicate which HTTP headers can be used during the actual request. By default, Access-Control-Allow-Headers is set as origin,content-type,accept,authorization.
- Access-Control-Allow-Methods: This response header specifies one or more methods allowed when accessing a resource in response to a preflight request. By default, Access-Control-Allow-Methods is set for GET, POST, PUT, DELETE, OPTIONS, HEAD.
- Access-Control-Max-Age: This header indicates how long the results of a preflight request can be cached. By default, Access-Control-Max-Age is set as 600 and unit is considered as seconds.
To configure the CORS Access-Control features in ALM, complete the following steps: