Configuring Cross-origin resource sharing (CORS) - Platform - BlueCat Gateway - 24.1

Gateway Administration Guide

Product name
BlueCat Gateway

Within the Secuirty section of General configuration settings, you can specify Cross-Origin Resource Sharing (CORS) response headers for BlueCat Gateway.

CORS is an HTTP header-based standard that lets a server indicate different origins than its own from which a browser should allow loading of resources. The origin of any web content is defined by the scheme (protocol), host (domain), and port of the URL used to access it. CORS relies on a preflight mechanism, where servers make preflight requests to servers hosting cross-origin resources to make sure that the server will permit the actual request. This lets CORS support cross-origin requests and data transfers between browers and servers.

For more information on Cross-Origin Resource Sharing (CORS), refer to

To configure the Cross-Origin Resource Sharing response headers for BlueCat Gateway:

  1. Open the General configuration window, then expand the Security section. (Click the Navigator button if necessary, then click Configurations > General configuration. Click Security at the bottom to expand the Security settings.)

  2. Scroll down to the Cross-origin resource sharing section, then fill in the following CORS response header options

    For more details, see Cross-origin resource sharing (CORS) settings list below.

  3. When you're done, click Save.

    Note: You must restart the BlueCat Gatewaycontainer for changes to Cross-Origin Resource Sharing (CORS) headers to take effect.

    To cancel your changes, click Cancel instead.

Cross-origin resource sharing (CORS) settings list

The Interface section has the following settings.

Setting Description
Allow Origin

Specifies the domain or domains from which cross-site access to the site's resources should be allowed. To specify multiple domains, use a comma-separated list.

No other domain will be able to access the resource in a cross-site manner. By default, Allow Origin is set to the wildcard character *, which means that any origin can access the resource.

Allow Methods
A comma-separated list of allowed methods with which the resource can be queried. By default, Allow Methods is set to the following:
Allow Headers

A comma-separated list of permitted headers to use with the request. By default, the value is set to the * wildcard, allowing any header.

Expose Headers

A comma-separated list of permitted response headers to be made available to scripts running in the browser. The value of this field is used for the Access-Control-Expose-Headers value. (See Access-Control-Expose-Headers on the Mozilla website.)

By default, only CORS-safelisted response headers are exposed. To allow clients to access other headers, add those headers to this field. For a list of CORS-safelisted headres, see CORS-safelisted response header on the Mozilla website.

Max Age (seconds)

The maximum amount of time (in seconds) that the response to the preflight request can be cached without sending another preflight request.

Send Wildcard for Origin

If selected, a wildcard (*) character is sent as the origin.

Allow Credentials

If selected, the resonse to the request will be exposed when the credentials flag is true. Doing so enables the Access-Control-Allow-Credentials header.

Send Vary Header

If selected, Gateway sends Vary response headers.

This is typically used when the server specifies a single dynamic origin instead of the * wildcard. In these cases, the server should include Origin in the Vary response header, indicating that the CORS headers are dynamic and should not be cached.

Always send CORS header

If selected, Gateway always requests CORS, meaning that the request includes an Origin header.