This article describes the introduction and processes of integrating CORS preflight caching with the CA API Gateway.

Cross-origin resource sharing (CORS) is a mechanism that allows resources (such as fonts, images, or multimedia) on a web page to be requested from another domain outside the domain from which the resource originated. CORS defines a way in which a browser and server can interact to safely determine whether or not to allow the cross-origin request. 

Open Web Application Security Project (OWASP) has identified a risk in the Cross-Origin Resource Sharing (CORS) request preflight process. Transmittal of CORS requests is handled by the client application used by the service consumer. A user could craft and send an HTTP request that does not use an allowed HTTP method or body. The CORS mechanism provides client and server applications with a protocol for engaging in a "preflight" exchange that determines what domains can request data and what HTTP methods are permitted. This exchange is typically executed using an HTTP request with the OPTIONS method. A CORS-compliant server application can respond with several CORS-specific headers that can inform the browser whether the application can request a specific resource.

The use of the preflight exchange is completely dependent upon the client application sending a preflight OPTIONS request. A client application can send an HTTP request to a service without previously sending the first request for preflight in an attempt to interact with the service and server in a malicious manner. The CORS policy implementation in the API Gateway is designed to provide a configurable proxy for web services and applications to mitigate abuse of CORS preflight processes by caching preflight requests and validating that subsequent requests correlate to an existing preflight request.

Product: Gateway

Version: 11

The Process CORS Request assertion allows a service to handle Cross-Origin Resource Sharing (CORS). This assertion sets the appropriate headers in the response message for CORS requests and if the origin conditions are met.

Note the following when using this assertion:

• The service must have the OPTIONS method enabled.
• There should be policy logic that returns HTTP status 200 immediately upon all successful CORS preflight requests.
• The Process CORS Request assertion appears before any authentication.

The documentation link has an example configuration and more details about this assertion.