API Policies > CORS policies > Creating a CORS group
  

Creating a CORS group

After you create a CORS policy, you must associated the policy with a CORS group.
    1On the Policies page, after you create a CORS policy, open the CORS policy, and then click Create CORS Group.
    The Create CORS Group dialog box appears.
    2 Enter the information for each field as mentioned in the following table:
    Property
    Description
    Allowed Origins
    The list of origins permitted to access the managed API or managed API group. Origins are case insensitive.
    Allowed origins refer to the specific domains or origins that are permitted to access resources on a server. When an API makes a cross-origin request, the server checks if the origin of the request is on the allowed list. If the origin is allowed, the servers respond with the data, otherwise the request is blocked.
    Origin refers to the combination of the protocol, domain, and port. For example, https://example.com:8080 and http://example.com:8080 are considered different origins.
    If no CORS policy is configured, API Center automatically allows cross-origin requests.
    Default is Access-Control-Allow-Origin: * which means access from any origin is allowed by default of no CORS policy is configured.
    Note: A single CORS policy in API Center can't contain duplicate origins.
    Allowed Control Max Age
    The duration, in seconds, for caching the results of a preflight request.
    The Allowed Control Max Age header tells the browser how long it can cache the result of its preflight request. During this period, the browser doesn't send another preflight request for the same resource and can directly make the actual request.
    Maximum allowed control age is 86400 seconds.
    Allowed Method
    Select the methods to enable CORS support. Allowed methods contain method elements that specify the supported HTTP verbs. The allowed method ensures that only certain types of requests can be made cross-origin, reducing the risk of unauthorized actions.
    You can select one or all methods from the list of available methods. Available methods are GET, PATCH, POST, DELETE, and PUT.
    Default is Access-Control-Allow-Methods: *. If no CORS policy is configured, the value * indicates all methods.
    Allowed Headers
    Enter a comma-separated list of headers that the client must submit in the actual request of the resource. These are the list of headers allowed to be included in cross-origin requests. Allowed headers are not case sensitive.
    Exposed Headers
    List of acceptable headers to be exposed to the client scripts on a web browser, except for the CORS-safelists response headers.Exposed headers are not case sensitive.
    3Click Create.
    The CORS group appears in the CORS Groups section of the CORS policy.