I have a general query about how we design CORS in APIGEE.
When the consumer sends preflight CORS with http method as OPTIONS,APIGEE sends CORS headers to consumer to let consumer know about allowable origins,methods..
1) If Preflight is already happening,then do we also need to send CORS headers in each and every response APIGEE sending to consumer,through assign message policy in response path?
2)Does all browser based consumers sends preflight request with HTTP method as Options as initial request?
Solved! Go to Solution.
1) Yes, according to the CORS standard, the Access-Control-Allow-xxxx
headers should be sent with every response , not only in the response to the pre-flight request.
2) No, the preflight (OPTIONS) request is not sent before all requests. The preflight is sent only in special circumstances. You can read about those circumstances in the CORS specs.
reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
1) Yes, according to the CORS standard, the Access-Control-Allow-xxxx
headers should be sent with every response , not only in the response to the pre-flight request.
2) No, the preflight (OPTIONS) request is not sent before all requests. The preflight is sent only in special circumstances. You can read about those circumstances in the CORS specs.
reference: https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
Thankyou @Dino .The link was very helpful.I got the answer for my 2nd question more clearly.
Additionally,learnt the purpose of Allow origin set as {request.header.origin}.I had a misconception that we need to define static values.
Hi @RK4
check the below links for detailed info on how CORS work and enable the support on Apigee.
https://community.apigee.com/questions/2890/add-usable-cors-policy-in-my-api-proxy-when-using.html
Thankyou @Maruti Chand
Hi @RK4 here is a sample API proxy that you can use as a reference for providing CORS support in your proxies. Please change the value of the "Access-Control-Allow-Origin" header (in Set CORS policy) to something more meaningful.
@Prithpal Bhogill Thanks..My notion was we should not give static domain names in Allow-origin and we should always give * or request.header.origin.
Because I thought if a new consumer wants to send request to API,then we need to make changes in the Allow-origin for adding his domain name.So,we need to make changes in Allow-origin as per consumer domain.
As per consumer,we need to make Proxy changes.Is this really good to do this way?
Does APIGEE proxy should be designed for backend API or should also consider consumer?
User | Count |
---|---|
2 | |
1 | |
1 | |
1 | |
1 |