Runtime response headers (CORS)

In response to a CORS simple or preflighted request from the browser, the HCP server responds with the corresponding CORS headers.

The following table describes the CORS response headers.

Response header Description Request type
Access-Control-Allow-Origin

This response header indicates whether the response can be shared with the requesting code from the origin.

If no applicable CORS rule is defined on the server, the Access-Control-Allow-Origin header is not defined in the response, which causes the browser to deny access to the resource.

A '*' wildcard character by itself means that the resource is public and available to everyone. Using '*' as the value of this header with credentials will result in an error. For more information, see the Access-Control-Allow-Credentials response header description in this table.

Simple, Preflight
Access-Control-Allow-Headers

Returned by the server in response to a preflight request that includes the Access-Control-Request-Headers header to indicate which HTTP headers can be used during the actual request.

Only returned for the OPTIONS request, not for the preflighted API call.

Preflight
Access-Control-Allow-Methods

Returned by the server in response to a preflight request to specify the HTTP method or methods allowed when the actual request is made.

Only returned for the OPTIONS request, not for the preflighted API call.

Preflight

Access-Control-Expose-Headers

Optional: Whitelist headers that browsers are allowed to access. By default, only six simple response headers are exposed:

cache-control

content-language

content-type

expires

last-modified

pragma.

Only returned for the OPTIONS request, not for the preflighted API call.

Simple, Preflight
Access-Control-Max-Age: delta-seconds
Optional: Indicates how long the results of a preflight request can be cached in the browser. Preflight
Access-Control-Allow-Credentials: true

Optional: When used in a response to a preflight request, this header indicates whether the actual request can be made with credentials.

For a simple request, if the header is true, the response is ignored by the browser and no content is returned to the web browser. This header works in conjunction with the credentials option (XHR or Fetch request).

HCP returns the true value for this header unless the AllowedOrigin element in the CORS rules configuration is defined as "*"; in the latter case, the Access-Control-Allow-Credentials header is not returned.

Note: A CORS compliant HCP server will not return the Access-Control-Allow-Credentials header when the wildcard character "*" is defined as Allow-Origin and the value of the Access-Control-Allow-Origin response header is "*".

Simple, Preflight
Vary

This response header determines how to match future request headers to determine whether a cached response can be used rather than requesting a new response from the  server.

If the HCP server sends a response with an Access-Control-Allow-Origin value that is an explicit origin (rather than the wildcard character "*"), the response should also include a Vary response header with the Origin value to indicate that server responses can differ based on the value of the Origin request header.

The value of the Vary header is a comma separated list of header names that can change. For example:

Vary: Origin, Access-Control-Request-Headers, Access-Control-Request-Method

Simple, Preflight

© 2015, 2020 Hitachi Vantara LLC. All rights reserved.