After you create a CORS policy and associate the policy with a CORS group, you can apply the CORS policy at the API level.
Applying a CORS policy at the API level empowers you to enforce specific rules for a particular API. You can apply this policy to all operations or endpoints within that API unless overridden at the operation level. For example, you can allow cross-origin requests from certain origins for one API but restrict the same cross-origin requests for another.
When you configure a CORS policy, the policy is enabled by default. After configuring the policy, the policy manager can choose to enable or disable the policy.