Advanced: CORS

WARNING: Only enable these settings when trusted applications on other origins need to call this site. Overly broad CORS values can expose endpoints to unexpected cross-origin access, while incorrect values can break legitimate API traffic.

Description of the control

Use this control to manage Cross-Origin Resource Sharing for trusted external origins. This grouped workflow lets administrators turn on CORS handling and define allowed origins, methods, headers, and the preflight cache duration.

Procedure

1. Open Posture Management.
2. Select Transport & Browser Security.
3. In the Advanced: CORS card, expand Show advanced CORS settings.
4. Review the help text that states CORS should be enabled only when you control the calling origin.
5. Enable Enable CORS responses if another origin needs to communicate with the site.
6. In Allowed Origins, enter a comma-separated list of full origins, for example https://app.example.com.
7. In Allowed Methods, enter the required comma-separated methods, such as GET, POST, OPTIONS.
8. In Allowed Headers, enter the headers clients may send, such as Content-Type, Authorization.
9. In Preflight max-age (seconds), enter the number of seconds browsers should cache the preflight response.
10. Select Save Transport & Browser Settings.

Validation

Test a request from an allowed external origin and confirm the site returns the expected CORS response headers. Also test a request from a non-allowed origin and confirm access is not granted when it should be blocked.