How APIM will handle options/pre-flight calls

Nadide, Shekhar Reddy 0 Reputation points
2024-06-17T10:28:45.46+00:00

I have one api with version - 1.

When I call the above api from angular app I was getting CORS error. Where do I setup the cors and could you please explain me about how apim handles all pre-flight calls? Do we need authentication enable for all pre-flight calls also?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,930 questions
{count} votes

1 answer

Sort by: Most helpful
  1. JananiRamesh-MSFT 23,486 Reputation points
    2024-06-19T08:02:25.1666667+00:00

    @Nadide, Shekhar Reddy Thanks for reaching out. To enable CORS for your API in APIM, you can use the cors policy in your inbound policy. The cors policy allows you to specify the allowed origins, methods, headers, and credentials for your API. please refer: https://learn.microsoft.com/en-us/azure/api-management/cors-policy

    Here is an example policy snippet that demonstrates how to use the cors policy:

    <inbound>
            <cors>
                <allowed-origins>
                    <origin>http://example.com</origin>
                </allowed-origins>
                <allowed-methods>
                    <method>GET</method>
                    <method>POST</method>
                </allowed-methods>
                <allowed-headers>
                    <header>Content-Type</header>
                </allowed-headers>
                <allow-credentials>true</allow-credentials>
            </cors>
        </inbound>
    

    This policy snippet sets the allowed origins to http://example.com, the allowed methods to GET and POST, and the allowed headers to Content-Type. It also allows credentials to be included in the request by setting allow-credentials to true.

    Regarding pre-flight calls, APIM automatically handles pre-flight requests by responding with the appropriate CORS headers. When a pre-flight request is received, APIM checks the Access-Control-Request-Method and Access-Control-Request-Headers headers to determine the allowed methods and headers for the API. It then responds with the appropriate Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers.

    Regarding authentication for pre-flight calls, it is not necessary to enable authentication for pre-flight requests. Pre-flight requests are sent by the browser to determine whether the actual request is safe to send. They do not include any user credentials or sensitive information, and are not used to actually send data to the server. Therefore, it is safe to allow pre-flight requests without authentication.

    do let me know incase of further queries, I would be happy to assist you.

    Please accept as Yes if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.

    0 comments No comments