This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Only return supported methods in the "Access-Control-Allow-Methods" header

Posted on 09-19-2019 01:17 AM
michaelolsen
New Member
Reply posted on --/--/---- --:-- AM

Hi, is there any good way to return only the allowed methods in the "Access-Control-Allow-Methods" header? We are currently using the adding-cors-support-api-proxy policy, but it adds all methods.

We'd like our proxy to return the methods which have corresponding condition mappings

<Condition>
	(request.verb = "GET") AND (proxy.pathsuffix MatchesPath "/userinfo")
</Condition>

We are currently looking at implementing it by adding the methods trough assign message policies:

<Flow name="getUserInfo">
	<Description>Get user info</Description>
	<Request>
		<Step>
			<Name>amAddGetToSupportedMethods</Name>
		</Step>
	</Request>
	<Request>
		<Step>
			<Name>amAddPutToSupportedMethods</Name>
		</Step>
	</Request>
	<Condition>
  		(request.verb = "GET") AND (proxy.pathsuffix MatchesPath "/userinfo")
	</Condition>
	<Condition>
  		(request.verb = "PUT") AND (proxy.pathsuffix MatchesPath "/userinfo")
	</Condition>
</Flow>

Is there a better way of doing this?

Edit:

For clarification, we'd like to define the supported methods per endpoint and not for the entire proxy as the supported methods may vary from endpoint to endpoint within the same proxy.

1 4 303
Topic Labels
4 REPLIES 4

Posted on --/--/---- --:-- AM
vs4vijay
New Member
Reply posted on --/--/---- --:-- AM

Well, "Add CORS" Policy uses "Assign Message" Internally, You want to send only limited headers, you should add Assign Message Policy manually with following contents:

<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <FaultRules/>
    <Properties/>
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Origin">{request.header.origin}</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept, content-type</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET</Header>
        </Headers>
    </Set>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>
0 Likes

Posted on --/--/---- --:-- AM
michaelolsen
New Member
In response to vs4vijay
Reply posted on --/--/---- --:-- AM

The problem is that the allowed methods are not the same for all endpoints.

0 Likes

Posted on --/--/---- --:-- AM
csgaddam04
New Member
In response to vs4vijay
Reply posted on --/--/---- --:-- AM

As mentioned by Vijay, you can add all the supported methods using Assign Message policy.

If your API only allows Get

<Header name="Access-Control-Allow-Methods">GET</Header>

If your API allows GET and POST

<Header name="Access-Control-Allow-Methods">GET, POST</Header>
0 Likes

Posted on --/--/---- --:-- AM
dchiesa1
Staff
In response to csgaddam04
Reply posted on --/--/---- --:-- AM

Yes, and also... the Header element accepts a message template, so you can do this: 

<AssignMessage name="add-cors">
    <Set>
        <Headers>
            <Header name="Access-Control-Allow-Methods">{variable.here}</Header>
        </Headers>
    </Set>

And you can set the variable containing the valid methods, based on a lookup in KVM, or similar.

0 Likes