Cross-Origin Resource Sharing (CORS)

Suggest Edits

CORS Overview

Cross-Origin Resource Sharing (CORS) is a security feature that prevents web pages from making requests to a different domain than the one that served the web page. CORS allows a web page to access resources on a different domain by using HTTP headers to declare which origins are permitted to access those resources.

Our API now allows CORS from any origin, making it easier for developers to access our API services directly from their UI.

How to use CORS Allowance

To use CORS Allowance, you must include the appropriate HTTP headers in your API request.

The headers you need to include are:

  • Access-Control-Allow-Origin: This header specifies which origins are allowed to access the API.
  • Access-Control-Allow-Headers: This header specifies which headers are allowed in the API request.
  • Access-Control-Allow-Methods: This header specifies which HTTP methods are allowed in the API request.

Example

To make a request to this endpoint from a ZettaBlock API, you would include the following headers in your API request:

GET /getData HTTP/1.1
Host: https://api.zettablock.com/
Origin: app.zettablock.com
Access-Control-Allow-Origin: *
Access-Control-Allow-Headers: *
Access-Control-Allow-Methods: *

In the above example, we have used * for all headers, meaning that access will be allowed from any domain.
It is important to note that allowing all headers and methods can increase the attack surface of your API, potentially allowing malicious actors to abuse your API endpoints.

Therefore, you should consider restricting the allowed headers and methods to only those that are necessary for your API to function properly.

Conclusion

By allowing CORS from any origin, ZettaBlock makes it easier for developers to access our API services directly from clients' UI, without having to go through a proxy server. This improves the performance of their applications and reduces their server load.

Updated 9 months ago