If you want to disable CORS then you do so using the cors policy in your api assembly. There is a setting in the API to explicitly set whether you want CORS on or off.
See the docs here for pointers as to how to adapt the cors support in your API: https://www.ibm.com/docs/en/api-connect/10.0.5.x_lts?topic=api-enabling-cors-support
You are likely to encounter issues if you tell the gateway that CORS is enabled but then manually hack the headers out of the response as you're trying to do above. That does not seem like a good plan.
Note that disabling the CORS headers will mean all web based test tools will not be able to call your API - that includes the Developer Portal and API Manager test tools. They both rely on CORS and cannot work without it.
------------------------------
Chris Dudley
------------------------------
Original Message:
Sent: Tue March 14, 2023 04:15 PM
From: Kshitij Khanna
Subject: Removing CORS Headers (Access-Control-Allow-Origin, Access-Control-Allow-Methods) from API Connect Response
I want to remove the CORS Headers - Access-Control-Allow-Origin & Access-Control-Allow-Methods from API Connect Response for an API.
I tried the following methods in the assembly but they didnt work.
Javascript :
hm.current.remove('Access-Control-Allow-Origin');
XSLT:
<dp:remove-http-response-header name="Access-Control-Allow-Origin"/>
I also tried the global post response hooks policy but that also didnt help. The assembly for the policy is as follows:
assembly:
execute:
- set-variable:
version: 1.0.0
title: Remove Access Control Haders
actions:
- clear: message.headers.access-control-allow-origin
- clear: message.headers.access-control-allow-methods
Pleaset let us know how to remove them if the CORS is enabled in an API. I have been trying to work on extensions but getting my existing policy hasnt been easy.
------------------------------
Kshitij Khanna
------------------------------