How can I customize CORS policy response

Lily 116 Reputation points


We're testing the CORS policy and need to know if it's possible to customize the response code/body.

<cors allow-credentials="false" terminate-unmatched-request="true">
    <origin>origin uri</origin>

When the request doesn't match allowed origins under terminate-unmatched-request="true", the response is a 200 with an empty value.

User's image

Our client finds this confusing; it's hard to tell if the empty response indicates normal operation or a CORS block.

Can you advise if we can customize the response? Thank you.

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,808 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Ryan Hill 26,241 Reputation points Microsoft Employee

    Hi @Lily,

    I know APIM does allow conditionally overriding header values. You may be able to use the set-body policy to override as well.

    <cors allow-credentials="false">
        <when condition="@(context.Request.Headers.GetValueOrDefault("Origin","").Contains(""))">
            <set-body template="none" />
        <otherwise />

    However, what I suggest is setting terminate-unmatched-request to false, per Scenario 7: terminate-unmatched-request on

    0 comments No comments