Configuring administrative API CORS settings
About this task
Enabling cross-origin resource sharing (CORS) allows applications to make requests of PingFederate administrative API endpoints. You can define the domains of applications that are permitted to make CORS requests.
Learn more about CORS in W3C’s recommendations of Cross-Origin Resource Sharing.
By default, CORS can accept the following request types:
-
GET
-
PUT
-
POST
-
DELETE
Requests can use the following headers:
-
X-XSRF-Header
-
Content-Type
-
Accept
-
Origin
-
Authorization
You can modify these settings at <pingfed-install>/server/default/data/admin-api.config.xml
.
The following are some example Allowed Origins entries and their behaviors:
https://www.example.com
-
CORS requests originating from
https://www.example.com
are allowed. https:www.example.com:8080
-
CORS requests originating from
https://www.example.com:8080
are allowed. https://www.example.com:*
-
CORS requests originating from any port on
https://www.example.com
are allowed. However, a port number is required in theOrigin
request header.
Add only specific, trusted domains. Using a wildcard or overly broad domain pattern introduces a high risk of unauthorized administrative actions. Also, unauthorized users can exploit unrestricted preflight requests to overwhelm the server, leading to a potential Denial-of-Service (DoS) attack. |
Steps
-
Go to System > Adminstrative API > CORS Settings.
-
To enable CORS requests, select Enable CORS.
-
To add permitted CORS domains:
-
Click Add.
-
Enter a domain name in the Allowed Origins field.
-
-
Click Save.