Cross-Origin Resource Sharing (CORS)
- Capella Operational
Use Cross-Origin Resource Sharing (CORS) Configuration per App Endpoint to enable granular access control to trusted domains for Origin and Login purposes in browser-based and hybrid applications.
About CORS Configuration
You can configure CORS per App Endpoint to relax the Same-Origin access policy and enable granular access controls across different areas of your applications. Using CORS, you can:
-
Define specific, trusted domains for loading of resources for use in your browser-based or hybrid applications.
-
Define allowed HTTP headers for use in pre-flight requests.
-
Set the max age of pre-flight requests in seconds.
Your application can run locally with its resources stored elsewhere on the cloud.
You can access and enable App Endpoint CORS configuration from the config page in App Endpoint settings and selecting the checkbox. Once enabled, you can set the permitted Origins, Login Origins, Max Age for requests and permissions for any custom HTTP headers. Origins and Login Origin are formatted as a comma separated list of URLs.
At least one Origin must be configured upon confirmation of the CORS configuration. |
Benefits of CORS for Developers
You can support more flexible architectures for your applications including web and hybrid mobile apps with CORS. CORS provides a method to relax the Same-Origin access policy selectively and safely. This enables access to client-side functions and provide the capability to interface directly with APIs such as the App Services Public REST API. Customize your applications further with separate CORS configurations for each of your App Endpoints. Configuring CORS per an individual App Endpoint allows you to explictly define which domains are allowed to access the resources at each App Endpoint, the types of requests that are permitted, and which headers can be included per request.
You can configure your App Endpoints for different use cases with a specific CORS configuration, such as:
-
Same-Origin Requests - CORS is not needed.
-
Broad Browser Support - Keep in mind that some older versions of browsers may have limited or no CORS support.
-
Low Latency - Endpoints that frequently require the use of HTTP requests could experience a latency overhead as requests are processed.
-
High Security Demand - If applications are running on less secure origins such as HTTP, this could pose security risks for your users.
Available CORS Configuration Options
Once CORS configuration is enabled, you can configure the following settings for CORS per each of your App Endpoints:
Origin (Access-Control-Allow-Origin)
You can set allowed origin domains for your App Endpoint to consider trusted sources of data.
You can also use the *
wildcard symbol to permit any domain as the origin.
You cannot use the * wildcard if you also plan to authenticate users.
|
It is not recommended to use the wildcard * in production environments, due to the security vulnerabilities it can create in your application.
|
Login Origin
You can define domains permitted to manage sessions. This is useful if you want to manage user sessions through the Public REST API.
Allowed Headers (Access-Control-Allow-Headers)
You can define and specify the headers permitted within pre-flight requests with your App Endpoints. This allows you to tailor request handling to the needs of your App Endpoint.
Max Age (Access-Control-Max-Age)
You can define the length of time in seconds a pre-flight request can be cached in the browser.
Altering this value to the needs of your App Endpoint can reduce server request latency.
The default value for Max Age is 5, with the range of values being 0 - 86400, or a day in seconds. |