The following configuration is required if the front-end client files are hosted on a different machine or host than the API, even if the only change is a domain name or port.
To allow for the API to be accessed from one external domain, the domain your front-end is hosted on, change the value of the Access-Control-Allow-Origin attribute to the exact hostname (including protocol, such as https).
The following example shows how to configure CORS with http://www.example.com as the allowed foreign domain which hosts the front-end client.
<httpProtocol>
<customHeaders>
<!-- Comma-separated list of origins that are allowed to make requests to this API. Enables cross-origin resource sharing (CORS) to these hosts. -->
<add name="Access-Control-Allow-Origin" value="http://www.example.com" />
<add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
</customHeaders>
</httpProtocol>