Before a CORS request is sent, the originating web server generally sends a
OPTIONS request if the request from the client includes
credentials. This pre-flight request is used to determine if the target server
permits CORS requests to be processed from the originating web server.
PingAccess can evaluate the headers provided in a CORS request to grant or deny access to resources.
In addition to allowing PingAccess to evaluate the CORS request, you can also
allow the request to be handled by the protected application, and let PingAccess
be excluded from the process of evaluating the access request, if the target
application type is
API. To do this with a resource path that
is protected by PingAccess and requires user authentication, configure a second
resource with the same path pattern, but set the Methods
OPTIONS and the Anonymous
option needs to be cleared. This configuration allows the API request being made
to be handled anonymously.
- Click Access and then go to .
- Click + Add Rule.
In the Name field, enter a unique name up to 64
Special characters and spaces are allowed.
- From the Type list, select Cross-Origin Request.
In the Allowed Origins field, enter one or more origin
- Click + New Value to add additional values.
Avoid using a value of
*in this field. While this is a valid configuration, it is considered an insecure practice.
To configure additional options, click Show
- To permit user credentials to be used in determining access, enable Allow Credentials.
If you entered a wildcard in the Allowed Origins
field, select the Mask Wildcard Policy checkbox
to replace the
Access-Control-Allow-Originresponse header with the value provided in the request’s
To modify the Allowed Request Headers values,
use the following options:
- To add a new header, click + New Value.
- To edit an existing header, click the field and make your changes.
- To remove an existing header, click the Delete icon.
The default headers are
- To make specific response headers available to the client that originated the cross-origin request, enter the headers in the Exposed Response Headers field.
- To add additional headers to the list, click + New Value .
- To define the request methods allowed in cross-origin requests, enter the desired overrides in the Overridden Request Methods field.
To modify the amount of time the pre-flight
OPTIONSrequest is cached, enter the maximum age (in seconds) in the OPTIONS Cache Max Age field.
The default is 600 seconds.
- Click Save.