The Default CORS Policy Rule
Cross-Origin Resource Sharing (CORS) is an HTTP-header-based tool that's used to locate other origin servers that an end user's browser can use to get your content. CORS uses a "preflight check" mechanism: A request is made to the origin server where the cross-origin content is stored, to make sure the request is allowed. If it's allowed, the browser sends various headers that indicate the HTTP method and headers to be used in the actual request.
If you have CORS set up in your environmentβvia scripts in ths XMLHttpRequest
object on your site or app, or through some other mechanismβthe Modify Outgoing Response Header behaviors in this rule are set up to modify various Access-Control
response headers, to indicate what's supported after the CORS preflight check. This effectively sets the HTTP method and headers that a browser can use in a CORS request.


-
Access-Control-Allow-Origin. This modifies this header value to "*" to get the header to acknowledge all origin servers. This way, this header won't inadvertently block access to an origin that may host your content.
-
Access-Control-Allow-Methods. This modifies this header to ensure that only the GET, POST, and OPTIONS methods are allowed in a request from the browser.
-
Access-Control-Allow-Headers. This header indicates which HTTP headers can be used during the request from a browser. This modifies this header so that only
origin
,range
,hdntl
, andhdnts
request headers are supported. Thehdntl
andhdnts
headers are βAkamaiβ-specific headers used in the delivery of media content. -
Access-Control-Expose-Headers. This header indicates which response headers should be available to a script running in the requesting browser. This modifies this header so that only the
Server
,range
,hdntl
,hdnts
,Akamai-Mon-Iucid-Ing
,Akamai-Mon-Iucid-Del
, andAkamai-Request-BC
headers are supported. TheAkamai-Mon-Iucid-Ing
andAkamai-Mon-Iucid-Del
headers are included to support βAkamaiβ client-side analytics.Akamai-Request-BC
allows for CORS support with the Breadcrumbs feature with AMD. -
Access-Control-Allow-Credentials. This modifies this header to set it to
true
. When a request requires credentials for content, a browser will only pass the preflight check if the Access-Control-Allow-Credentials value istrue
. Credentials are cookies, authorization headers, or TLS client certificates. For example, with this value set to true, if your origin server requires credentials (a cookie) to access cross-origin content, and no cookie is present, the "credential check" fails. The response is then ignored by the browser and the content is not returned. -
Access-Control-Max-Age. This header determines how long the results of a preflight check can be cached. This sets it to
86400
seconds which equals 24 hours.
For best performance, we recommended that you leave this rule and all of its behaviors in the configuration. But, none of its settings are mandatory.
Updated 13 days ago