Skip to main content
Version: v2.13.x LTS

Customizing Cross-Origin Resource Sharing (CORS)

Customizing Cross-Origin Resource Sharing (CORS)

Role: system programmer

As a system programmer, you can enable the Gateway to terminate CORS requests for itself and also for routed services. By default, Cross-Origin Resource Sharing (CORS) handling is disabled for Gateway routes gateway/api/v1/** and for individual services. After enabling the feature as stated in the following procedure, API Gateway endpoints start handling CORS requests. Individual services can control whether they want the Gateway to handle CORS for them through the Custom Metadata parameters.

When the Gateway handles CORS on behalf of the service, the Gateway sanitizes the following defined headers from the communication (upstream and downstream) in the following comma -separated list:


The resulting request to the service is not a CORS request. No additional specification of the service is required. The list can be overridden by specifying a different comma-separated list in the property components.gateway.apiml.service.ignoredHeadersWhenCorsEnabled in zowe.yaml.

Additionally, the Gateway handles the preflight requests on behalf of the service when CORS is enabled in Custom Metadata, replying with CORS headers:

  • Access-Control-Allow-Methods: GET,HEAD,POST,DELETE,PUT,OPTIONS
  • Access-Control-Allow-Headers: origin, x-requested-with
  • Access-Control-Allow-Credentials: true
  • Access-Control-Allow-Origin: *

Alternatively, list the origins as configured by the service, associated with the value customMetadata.apiml.corsAllowedOrigins in Custom Metadata.

If CORS is enabled for Gateway routes but not in Custom Metadata, the Gateway does not set any of the previously listed CORS headers. As such, the Gateway rejects any CORS requests with an origin header for the Gateway routes.

Use the following procedure to enable CORS handling.

  1. Open the file zowe.yaml.
  2. Find or add the property components.gateway.apiml.service.corsEnabled and set the value to true.
  3. Restart Zowe.

Requests through the Gateway now contain a CORS header.