Update CORS Settings
Overview
Updates CORS (Cross-Origin Resource Sharing) settings for an API proxy. CORS settings control how browsers handle cross-origin requests to the API proxy.
Endpoint
PATCH /apiops/projects/{projectName}/apiProxies/{apiProxyName}/settings/cors/
Authentication
Requires a Personal API Access Token.
Header
Authorization: Bearer YOUR_TOKEN
Request
Headers
| Header | Value | Required |
|---|---|---|
| Authorization | Bearer {token} | Yes |
| Content-Type | application/json | Yes |
Path Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| projectName | string | Yes | Project name |
| apiProxyName | string | Yes | API Proxy name |
Request Body
Full JSON Body Example
{
"name": "CORS Settings",
"description": "CORS configuration for API",
"corsActive": true,
"allowOriginList": [
"*"
],
"allowMethodList": [
"GET",
"POST",
"PUT",
"DELETE",
"PATCH",
"OPTIONS"
],
"allowHeaderList": [
"*"
],
"exposeHeaderList": [
"X-Custom-Header"
],
"allowCredentials": "true",
"maxAge": 3600
}
Request Body Fields
| Field | Type | Required | Default | Description |
|---|---|---|---|---|
| name | string | Yes | - | CORS settings name |
| description | string | No | - | CORS settings description |
| corsActive | boolean | No | false | Enable/disable CORS |
| allowOriginList | array | No | [] | List of allowed origins (use ["*"] for all origins) |
| allowMethodList | array | No | [] | List of allowed HTTP methods |
| allowHeaderList | array | No | [] | List of allowed headers (use ["*"] for all headers) |
| exposeHeaderList | array | No | [] | List of headers exposed to client |
| allowCredentials | string | No | “false” | Allow credentials ("true" or "false") |
| maxAge | integer | No | 3600 | Max age for preflight requests in seconds |
EnumHttpRequestMethod
GET- GET methodPOST- POST methodPUT- PUT methodDELETE- DELETE methodPATCH- PATCH methodOPTIONS- OPTIONS methodHEAD- HEAD methodTRACE- TRACE methodALL- All methods
Note
allowOriginListcan contain"*"to allow all origins, but this cannot be used withallowCredentials: "true"allowHeaderListcan contain"*"to allow all headersallowCredentialsmust be a string ("true"or"false"), not a boolean
Response
Success Response (200 OK)
{
"success": true
}
Response Fields
| Field | Type | Description |
|---|---|---|
| success | boolean | Indicates if the request was successful |
Error Response (400 Bad Request)
{
"error": "bad_request",
"error_description": "Invalid CORS settings"
}
Error Response (401 Unauthorized)
{
"error": "unauthorized_client",
"error_description": "Invalid token"
}
Error Response (404 Not Found)
{
"error": "not_found",
"error_description": "ApiProxy (name: MyAPI) was not found!"
}
cURL Example
Example 1: Enable CORS for All Origins
curl -X PATCH \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "CORS Settings",
"corsActive": true,
"allowOriginList": ["*"],
"allowMethodList": ["GET", "POST", "PUT", "DELETE"],
"allowHeaderList": ["*"],
"allowCredentials": "false",
"maxAge": 3600
}'
Example 2: Enable CORS for Specific Origins
curl -X PATCH \
"https://demo.apinizer.com/apiops/projects/MyProject/apiProxies/MyAPI/settings/cors/" \
-H "Authorization: Bearer YOUR_TOKEN" \
-H "Content-Type: application/json" \
-d '{
"name": "CORS Settings",
"corsActive": true,
"allowOriginList": [
"https://example.com",
"https://app.example.com"
],
"allowMethodList": ["GET", "POST"],
"allowHeaderList": ["Content-Type", "Authorization"],
"exposeHeaderList": ["X-Custom-Header"],
"allowCredentials": "true",
"maxAge": 7200
}'
Notes and Warnings
- Wildcard Origin: Using
"*"inallowOriginListallows all origins but cannot be used withallowCredentials: "true" - Credentials: When
allowCredentialsis"true", you must specify exact origins (no wildcard) - Preflight Requests: The
maxAgevalue determines how long browsers cache preflight OPTIONS requests - Headers: Use
["*"]inallowHeaderListto allow all headers, or specify exact header names - Exposed Headers: Headers in
exposeHeaderListare accessible to client-side JavaScript - Permissions: Requires
ROLE_MANAGE_PROXIESpermission
Related Documentation
- Update Cache Settings - Update cache settings
- Get API Proxy - Get API proxy details