This documentation is for WSO2 API Manager 2.0.0 View documentation for the latest release.
Page Comparison - Enabling CORS for APIs (v.22 vs v.23) - API Manager 2.0.0 - WSO2 Documentation

Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Sign in to API Publisher and choose to design a new REST API.Image AddedImage Removed
  2. Click Start Creating.
  3. Give the information in the table below and click Add to add the resource.

    FieldSample value


    URL Pattern: current/{country}/{zipcode}
    Request types: GET method to return the current weather conditions of a zip code that belongs to a particular country

    Image RemovedImage Added

  4. Once done, click Next: Implement >

  5. In the Implementation tab, provide the following endpoint details.

    FieldSample value
    Endpoint typeHTTP/REST endpoint
    Production endpoint

    You can find the Yahoo weather API's endpoint from Copy the part before the '?' sign to get this URL:

  6. Select the Enable API based CORS Configuration check box to enable CORS for the API.
    Image RemovedImage Added
  7. Once you enable CORS, you will be able to see the CORS response header configuration section. 
    Image Removed
    Listed  Listed below are the CORS specific response headers supported by the API Gateway and how to configure them.

    HeaderDescriptionSample values
    Access-Control-Allow-OriginDetermines whether a resource can be shared with the resource of a given origin. The API Gateway validates the origin request header value against the list of origins defined under the Access Control Allow Origins configuration(this can be All Allow Origins or a specific value like localhost). If the host is in the allowed origin list, it will be set as the Access-Control-Allow-Origin response header in the response.All Allow Origins(*), localhost
    Access-Control-Allow-HeadersDetermines, as part of the response to a preflight request (a request that checks to see if the CORS protocol is understood), which header field names can be used during the actual request. The gateway will set the header values defined under Access Control Allow Headers configurations.authorization, Access-Control-Allow-Origin, Content-type, SOAPAction
    Access-Control-Allow-MethodsThis header specifies the method(s) allowed when accessing the resource in response to a preflight request. Required methods can be defined under the Access Control Allow Method configuration.GET, PUT, POST, DELETE, PATCH, OPTIONS
    Access-Control-Allow-CredentialsDetermines whether or not the response to the request can be exposed to the page. It can be exposed when the header value is true. The header value can be set to true/false by enabling/disabling the Access Control Allow Credentials configuration.true, false
  8. Once the CORS configurations are done, click Next: Manage >.
    Image RemovedImage Added
  9. Select the Unlimited subscription tier and click Save and Publish to create and publish the API to the API Store.
    Image RemovedImage Added

You have successfully enabled CORS for a specific API.