---
title: Configuring administrative API CORS settings
description: Enabling cross-origin resource sharing (CORS) allows applications to make requests of PingFederate administrative API endpoints. You can define the domains of applications that are permitted to make CORS requests.
component: pingfederate
version: 13.1
page_id: pingfederate:administrators_reference_guide:pf_configuring_administrative_api_cors
canonical_url: https://docs.pingidentity.com/pingfederate/13.1/administrators_reference_guide/pf_configuring_administrative_api_cors.html
llms_txt: https://docs.pingidentity.com/pingfederate/llms.txt
docs_for_agents: https://developer.pingidentity.com/build-with-ai/docs-for-agents.md
revdate: February 13, 2025
section_ids:
  about-this-task: About this task
  steps: Steps
---

# Configuring administrative API CORS settings

## About this task

Enabling cross-origin resource sharing (CORS) *(tooltip: \<div class="paragraph">
\<p>A mechanism to allow restricted resources, such as images and scripts, on a web page to be requested from a domain outside of the domain from which the first resource was served.\</p>
\</div>)* allows applications to make requests of PingFederate administrative API endpoints. You can define the domains of applications that are permitted to make CORS requests.

Learn more about CORS in [W3C's recommendations of Cross-Origin Resource Sharing](https://spec.whatwg.org/).

By default, CORS can accept the following request types:

* GET

* PUT

* POST

* DELETE

Requests can use the following headers:

* X-XSRF-Header

* Content-Type

* Accept

* Origin

* Authorization

You can modify these settings at `<pingfed-install>/server/default/data/admin-api.config.xml`.

The following are some example **Allowed Origins** entries and their behaviors:

* `https://www.example.com`

  CORS requests originating from `https://www.example.com` are allowed.

* `https:www.example.com:8080`

  CORS requests originating from `https://www.example.com:8080` are allowed.

* `https://www.example.com:*`

  CORS requests originating from any port on `https://www.example.com` are allowed. However, a port number is required in the `Origin` request header.

|   |                                                                                                                                                                                                                                                                                                         |
| - | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | Add only specific, trusted domains. Using a wildcard or overly broad domain pattern introduces a high risk of unauthorized administrative actions. Also, unauthorized users can exploit unrestricted preflight requests to overwhelm the server, leading to a potential Denial-of-Service (DoS) attack. |

## Steps

1. Go to **System > Adminstrative API > CORS Settings**.

2. To enable CORS requests, select **Enable CORS**.

3. To add permitted CORS domains:

   1. Click **Add**.

   2. Enter a domain name in the **Allowed Origins** field.

4. Click **Save**.