End of Sale Notice:

F5 NGINX is announcing the End of Sale (EoS) for NGINX Management Suite API Connectivity Manager Module, effective January 1, 2024.

F5 maintains generous lifecycle policies that allow customers to continue support and receive product updates. Existing API Connectivity Manager Module customers can continue to use the product past the EoS date. License renewals are not available after September 30, 2024.

See our End of Sale announcement for more details.

CORS

Learn how to use NGINX Management Suite API Connectivity Manager to handle Cross-Origin Resource Sharing for your backend services.

Overview

In API Connectivity Manager, you can apply global policies to API Gateways and Developer Portals to ensure your organization’s security requirements are enforced.

When you add policies at the environment level, they will apply to all proxies hosted within that environment.

See the Learn about Policies topic for an overview of the different policy types and available policies.

About the Policy

The CORS policy allows users to configure API Gateways to set the required headers to allow Cross-Origin Resource Sharing (CORS). CORS is a series of headers instructing web browsers which origins should be permitted to load resources other than the API Gateway origin.

Intended Audience

This guide is intended for API Owners — the individuals or teams who are responsible for designing, creating, and maintaining APIs.

Before You Begin

To complete the steps in this guide, you need the following:

API Connectivity Manager is installed, licensed, and running.
An API gateway environment
A published API Gateway

Policy Settings

The following table lists the configurable settings and their default values for the policy.

Field	Datatype	Possible Values	Description	Required	Default
`allowCredentials`	boolean	`true`, `false`	When set to `true`, the `Access-Control-Allow-Credentials` header is set to `true` for all responses.	No	`false`
`allowHeaders`	string array	Example: `["X-header-name", "Authorization"]`	Used to set the `Access-Control-Allow-Headers` header, which tells the browser which headers can be used in the request.	No	`["Authorization", "Origin", "Content-Type", "Accept", "X-Cache-Status"]`
`allowMethods`	string array	`["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE", "OPTIONS", "TRACE", "CONNECT"]`	Used to set the `Access-Control-Allow-Methods` header, which tells the browser which methods can be used in the request.	No	`["GET", "HEAD", "OPTIONS"]`
`allowOrigins`	Origin array	Example: `[{"exact":"example1.com"},{"exact":"example2.com"}]`	Used to set the `Access-Control-Allow-Origins` header, which tells the browser which origins can make a request. If set to `[{"exact":"*"}]` all origins will be accepted.	No	`[{"exact":"*"}]`
`exposedHeaders`	string array	Example: `[ "header-name", "x-correlation-id", "*" ]`	Used to set the `Access-Control-Expose-Headers` header, which tells the browser which headers can be accessed in the response.	No	`[]`
`maxAge`	integer	5–60000	Used to set the `Access-Control-Max-Age` header, which tells the browser what is the maximum length of time in seconds that preflight requests can be cached	No	N/A
`preflightContinue`	boolean	`true`, `false`	When set to `true`, preflight requests are proxied to the backend service. Otherwise, they are handled by the API Gateway.	No	`false`

Note:
Setting a wildcard (*) in exposedHeaders does not include headers related to Access-Control-Allow-Credentials; those must explicitly be added to exposed headers.

Adding XYZ Policy

See Also:
You can use tools such as curl or Postman to interact with the API Connectivity Manager REST API. The API URL follows the format https://<NMS_FQDN>/api/acm/<API_VERSION> and must include authentication information with each call. For more information about authentication options, please refer to the API Overview.

To create an CORS policy using the REST API, send an HTTP PUT request to the Proxies endpoint.

Method	Endpoint
`POST`	`/services/workspaces/{SERVICE_WORKSPACE_NAME}/proxies`

JSON request

{
  "policies": {
    "cors": [
      {
        "action": {
          "allowCredentials": true,
          "allowMethods": [
            "GET", "HEAD", "PUT", "PATCH", "POST"
          ],
          "allowOrigins": [
            {
              "exact": "example.com"
            }
          ],
          "exposedHeaders": [
            "header-name", "x-correlation-id"
          ],
          "maxAge": 30000
        }
      }
    ]
  }
}

In a web browser, go to the FQDN for your NGINX Management Suite host and log in. Then, from the Launchpad menu, select API Connectivity Manager.
On the left menu, select Services.
Select a workspace in the list that contains the API Proxy you want to update.
On the workspace overview page, on the API Proxies tab, locate the API Proxy you want to update. Select the Actions menu (represented by an ellipsis, ...), then select Edit Proxy.
On the left menu, select API Proxy > Advanced > Policies.
On the Advanced > Policies page, on the API Proxy tab, locate CORS. Select the Actions menu (represented by an ellipsis, ...), then select Add Policy.
Modify the CORS configuration as needed.
Select Save to apply the policy to the API Proxy.
Select Save and Publish to deploy the configuration to the API Proxy.