Consider the following guidelines for CORS policies:
•You can't activate a managed API or managed API group if they contain a disabled CORS policy. Edit the managed API or managed API group and reassign a CORS policy.
•For a managed API with an anonymous security policy, if CORS policies are defined in both API Center and the Application Integration process, both CORS policies are applied to the managed API. These policies can either be identical or different. However, the request will succeed only if both CORS policies are successfully applied. If either policy fails, a failure response is returned.
In the case of an authenticated managed API, the CORS policy defined in API Center takes precedence and overrides the CORS policy defined in Application Integration.
•When testing a managed API that has an assigned CORS policy, ensure that the API Center host is included as one of the origins in the CORS policy configuration.
•To run an authenticated managed API with an assigned CORS policy, ensure the Authorization and Content-Type headers are included in the allowed headers list for the request origins. If the REST API was created using the top-down approach, add these headers to the CORS group's allowed headers list.
•According to W3C standards, ports 80 and 443 are the default ports.