Wildcard domains are not supported in APIM cors policy

Question

Wildcard domains are not supported in APIM cors policy

Hari Guvvala 20

Hi Team,

When I try to add a CORS domain with a wildcard in the APIM CORS policy, it is not supported. Can you please help me with this?.

<policies>
    <inbound>        
        <cors allow-credentials="true">
            <allowed-origins>
                <origin>https://*.os.au</origin>                
            </allowed-origins>
            <allowed-methods preflight-result-max-age="300">
                <method>GET</method>
                <method>POST</method>
                <method>PUT</method>
                <method>DELETE</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>

Accepted answer

0 additional answers

Your answer

Answer 1

Deepanshu katara 16,945 MVP Moderator

Hello Hari , Welcome to MS Q&A

It is because in Azure API Management, if the allowed origin is set to a wildcard ('*'), it cannot have CORS allowed credentials set to true. This is because specifying AllowAnyOrigin and AllowCredentials together is not secure and can lead to vulnerabilities such as cross-site request forgery.

CORS (Cross-Origin Resource Sharing) in Azure API Management supports wildcard origins, but there are important considerations. When using a wildcard (*) for allowed origins, you cannot also specify AllowCredentials. This combination is not secure and can lead to vulnerabilities such as cross-site request forgery. Instead, if you need to allow credentials, it's recommended to replace the wildcard with specific origins or wildcard subdomain

For more details, you can refer to the following documentation:

CORS in Azure API Management

Please let us know if any further questions

Kindly accept answer if it helps

Thanks
Deepanshu

Deepanshu katara 16,945 Reputation points MVP Moderator

2024-10-15T05:16:35.53+00:00

Following up to see if the provided answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.
Alexander Anderson 0 Reputation points

2025-06-10T01:53:08.9133333+00:00
Not the one who asked but I had a similar inquiry. The question is not towards a raw wildcard, it's towards a subdomain wildcard where they have control of the top level domain. While it's possible for someone to breach the domain security and obtain a subdomain they could use for traffic this poses a few questions;

Is it possible to breach a DNS such that you gain a sub-level domain but could not freely mangle the domain in question directly?

Would an attacker be able to gain a subdomain, issue a certificate for it, and establish that domain as a trust worthy target without gaining the ability to mangle the original domain in the first place?

Share via

Wildcard domains are not supported in APIM cors policy

0 additional answers

Your answer