This page describes a number of configuration options to adjust the security of your CXO-Cockpit application. Basic knowledge of .NET configuration files is required to apply these options.
...
Cross-Origin Resource Sharing (CORS)
By From version 21.1.1, by default Cross-Origin Resource Sharing (CORS) settings are disabled, because CXO does not require CORS as the website and its APIs are hosted on the same server.
...
- Set "Cross-Origin Resource Sharing (CORS): Enabled" to true. Default value is false.
- Set "Cross-Origin Resource Sharing (CORS): Allowed origins" to a comma separated list of allowed origins (e.g. http://example1.com, https://example2.com). Default value is an empty string (no origins allowed).
- More info:
- The list of allowed origins should be as strict as possible.
- To allow multiple sub origins you can use "*" sign in the name e.g. (e.g. "https://*.example.com", "https://localhost*")
- It is possible to allow any origin by specifying "*" string it he "Allowed origins" field. This setting is strongly discouraged since it is insecure configuration. We advise to use it only for in experimentation phase.
- More info:
With CORS enabled, if you want to allow also sending credentials with a cross-origin requests, adjust the following settings
...