Forum Discussion
AltocumulusCORS with API calls
Hello,
Sorry if this is an obvious question -- we're very new to XC.
We're using XC with one load balancer with CORS activated. It works fine for web applications but all API calls (to our internal APIs) are blocked because of missing origin header.
What is the correct way to handle it? Ask the connecting party to insert origin headers? Dedicate another load balancer (to be used for APIs only) with CORS disabled?
Thank you.
There is a disable options for the 2 policies in the advanced options under the route as stop them when they are globally enabled under the entire LB just for a route that matches specific URLs and hosts.
4 Replies
- zamroni777
MVP
adding 1 request header with static value programmatically should be extremely easy.
in comparison, authorization request header value is dynami - Nikoolayy1
I suspect your API client does not support CORS as this is more of a browser feature as to protect the browsers to get redirected to external domains by an attacker. Better have 2 XC VIP one for API and one for browsers or if you know the API urls to make XC routes to disable CORS just for those URL.
See:
https://beeceptor.com/docs/concepts/cors/
Teddy_BrewskiThank you Nikoolayy1
We confirmed that our API clients do not send origin header, hence it's blocked.
We use one load balancer with multiple routes where traffic is routed based on Host headers.
Cross-Site Request Forgery Protection option is enabled globally (on the load balancer level) with all domains listed. I see CORS Policy and CSRF Policy under Advanced Options (in Route section), but none are configured. How can I use XC routes?
- Nikoolayy1
There is a disable options for the 2 policies in the advanced options under the route as stop them when they are globally enabled under the entire LB just for a route that matches specific URLs and hosts.
