Applying and Editing a CORS Policy

Cross-origins (CORS) HTTP requests let you request a resource from a different domain. This lets you share APIs across domains.

Applying a CORS Policy

To apply a CORS policy:

  1. Assuming you have signed in to Anypoint Platform, click APIs.

  2. Click the version number of an API, the 1.0development version of the T-Shirt Ordering Service for example.


  3. Click the Policies tab in lower part of API administration page.

    The list of any applied policies and available policies appears.

  4. In Available policies > Cross-Origin resource sharing, click Apply.


  5. If this is a public resource, click Apply. If not, uncheck Public resource.


    You can’t specify a new group until you specify the Default group. Note also that the Default group is not a fallback in the normal sense of a default. In this case, it is only the first group you configure for CORs.

  6. If needed, click Support credentials. For more information, see Mozilla’s Request with credentials discussion, which describes the concept.

  7. For the Default group, specify one or more domain names, such as Separate multiple names with commas.

  8. If needed, change the Access control max age for how long a preflight request can be cached.

  9. Click Apply.

Editing a CORS Policy

After creating a CORS policy as described in the last section, you can edit the policy by clicking Edit in your API’s portal.


  1. Change values as needed.

  2. Click Apply.