Before a CORS request is sent, the originating web server generally sends a pre-flight OPTIONS request if the request from the client includes credentials. This pre-flight request is used to determine if the target server permits CORS requests to be processed from the originating web server.

PingAccess can evaluate the headers provided in a CORS request to grant or deny access to resources.


In addition to allowing PingAccess to evaluate the CORS request, you can also allow the request to be handled by the protected application, and let PingAccess be excluded from the process of evaluating the access request, if the target application type is API. To do this with a resource path that is protected by PingAccess and requires user authentication, configure a second resource with the same path pattern, but set the Methods field to OPTIONS and the Anonymous option needs to be cleared. This configuration allows the API request being made to be handled anonymously.

  1. Click Access and then go to Rules > Rules.
  2. Click + Add Rule.
  3. In the Name field, enter a unique name up to 64 characters long.

    Special characters and spaces are allowed.

  4. From the Type list, select Cross-Origin Request.
  5. In the Allowed Origins field, enter one or more origin values.
    1. Click + New Value to add additional values.

    Avoid using a value of * in this field. While this is a valid configuration, it is considered an insecure practice.

  6. Optional: To configure additional options, click Show Advanced.
    1. To permit user credentials to be used in determining access, enable Allow Credentials.
    2. If you entered a wildcard in the Allowed Origins field, select the Mask Wildcard Policy checkbox to replace the Access-Control-Allow-Origin response header with the value provided in the request’s Origin header.
    3. To modify the Allowed Request Headers values, use the following options:
      • To add a new header, click + New Value.
      • To edit an existing header, click the field and make your changes.
      • To remove an existing header, click the Delete icon.

      The default headers are Authorization, Content-Type, and Accept.

    4. To make specific response headers available to the client that originated the cross-origin request, enter the headers in the Exposed Response Headers field.
    5. To add additional headers to the list, click + New Value .
    6. To define the request methods allowed in cross-origin requests, enter the desired overrides in the Overridden Request Methods field.
    7. To modify the amount of time the pre-flight OPTIONS request is cached, enter the maximum age (in seconds) in the OPTIONS Cache Max Age field.

      The default is 600 seconds.

  7. Click Save.