All Products
Search

This Product

    API Gateway:Configure a cross-origin resource sharing policy

    Document Center

    API Gateway:Configure a cross-origin resource sharing policy

    Last Updated:Dec 03, 2025

    Cross-origin resource sharing (CORS) is an important security policy that allows web application servers to perform cross-origin access control. This helps implement secure cross-origin data transmission. Cloud-native API Gateway instances allow you to configure CORS policies at the route level. You can access resources from a specific domain name by using a specific request method based on your business requirements. This prevents security risks such as cross-site request forgery and ensures the reliability and security of services.

    Configure a cross-origin resource sharing policy

    1. Cloud-native API Gateway provides two ways to configure CORS policies: outside an instance and inside an instance:

      APIs outside an instance

      1. Log on to the Cloud-native API Gateway console. In the left-side navigation pane, select API, and select a region in the top menu bar.

      2. Click the target API. You can select the instance for which you want to configure a CORS policy from the drop-down list, or select All Instances.image

      3. Select the target route from the Routes.

      APIs inside an instance

      1. Log on to the Cloud-native API Gateway console. In the left-side navigation pane, select Instance, and select a region in the top menu bar.

      2. On the Instance page, click the ID of the target gateway instance. In the left-side navigation pane, select API, and click the target API.

      3. Select the target route from the Routes.

    2. Click the Policy Configuration tab, and then click Inbound Processing Enable Policy/Plug-in.

    3. Click the CORS card. In the Add Policy: CORS panel, configure the parameters and click Add.

      Note

      The CORS policy does not take effect for a mock service. You must configure an actual backend test service.

      Configuration item

      Description

      Enable

      Turn on the switch to the right of Enable.

      • If you enable the policy, CORS requests are allowed based on the policy.

      • If you disable the policy, all CORS requests are rejected.

      Allowed Origins

      The domain names that are allowed to access resources in the server through a browse. Configuration rules:

      • To allow all origins: *.

      • To allow origins from a specific root domain: *.example.com.

      • To specify multiple origins: Enter origins that start with http:// or https://, with each origin in a separate line.

      Note

      This parameter applies to the Access-Control-Allow-Origin header. When the Origin header in a client request matches any of the allowed origins that you set, the Access-Control-Allow-Origin header in the cross-origin response will be set to the Origin header in the client request.

      Allowed Methods

      The allowed HTTP methods for CORS requests. Common methods include GET, POST, PUT, DELETE, HEAD, OPTIONS, and PATCH.

      Note

      This parameter applies to the Access-Control-Allow-Methods header.

      Trusted Request Headers

      The extra headers that are allowed in CORS requests other than the built-in headers of web browsers. Configuration rules:

      • To allow all request headers: *.

      • To specify multiple request headers, enter each request header in a separate row.

      Note

      This parameter applies to the Access-Control-Allow-Headers header.

      Trusted Response Headers

      The response headers that can be obtained by browsers and JavaScript files. Configuration rules:

      • To allow all response headers: *.

      • To specify multiple response headers, enter each response header in a separate row.

      Note

      This parameter applies to the Access-Control-Expose-Headers header.

      Allow to Carry Credentials

      Specifies whether to allow credentials in CORS requests.

      Note

      This parameter applies to the Access-Control-Allow-Credentials header.

      Precheck Expiration Time

      The maximum period of time during which a preflight request that uses the OPTIONS method is cached.

      Note

      This parameter applies to the Access-Control-Max-Age header.

    Verify the results

    • Run the following command to send a testing request:

      curl -I -H "Origin: http://example.com" -H "Access-Control-Request-Method: GET" -H 'Host: www.test.com' -X OPTIONS http://121.196.XX.XX/demo/item/list

    • Expected output:

      HTTP/1.1 200 OK
allow: GET,HEAD,OPTIONS
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
cache-control: no-cache, no-store, max-age=0, must-revalidate
pragma: no-cache
expires: 0
x-frame-options: DENY
content-length: 0
date: Tue, 30 Nov 2021 03:20:31 GMT
x-envoy-upstream-service-time: 6
access-control-allow-origin: http://example.com
access-control-allow-credentials: true
access-control-allow-methods: GET,POST,PUT,DELETE,HEAD,OPTIONS
access-control-expose-headers: *
server: istio-envoy

    References

    For more information, see Cross-origin resource sharing.