This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
I'm trying to create some APIs in R with Plumber. I have managed to publish the API on a server and I can access them via browser: Swagger is exposed without any authentication. The code is
# api.R
#* Echo back the input
#* @param msg The message to echo
#* @get /echo
function(msg="") {
list(msg = paste0("The message is: '", msg, "'"))
}
#* Plot a histogram
#* @serializer png
#* @get /plot
function() {
rand <- rnorm(100)
hist(rand)
}
#* Return the sum of two numbers
#* @param a The first number to add
#* @param b The second number to add
#* @post /sum
function(a, b) {
as.numeric(a) + as.numeric(b)
}
#* @filter cors
cors <- function(res) {
res$setHeader("Access-Control-Allow-Origin", "*")
plumber::forward()
}
and they are working.
I want to protect them and I think to use Azure API Management service. I have created the service and added the APIs using the Swagger document. Also, I added CORS in the Inbound processing.
In Settings I didn't change anything although I should use OpenID connect.
There is a simple api /echo that requires msg as parameter. If I run the test for this api, I receive 400 Bad Request.
In the Trace I have this error for 3 times:
cors (0.020 ms) "Origin header was missing or empty and the request was classified as not cross-domain. CORS policy was not applied."
I can't find what the error is about. Also, I Enable CORS in the Developer Portal although I think it is totally unrelated.
What did I do wrong? What is the correct configuration?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(294.40000000000003, 87%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EM%3C/text%3E%3C/svg%3E)
Hello @Enrico Rossini
Could you post the info under the Trace tab? Have you tried simulating a CORS request in Postman instead of Azure Portal? Generally speaking, If the end goal is to protect the backend API with minimal effort, I would look to implement IP based restrictions, and whitelist the IP address from your APIM: IP addresses of Azure API Management, and then move on to setting up the OpenID Connect part of the configuration.
CORS is only specific to async requests sent from browsers so the setting on Dev Portal is irrelevant as the session you initiated occurred outside of it.
This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Thank you for your reply. I found the issue; it was in the firewall configuration. I have a different problem now.
@Enrico Rossini That's great! I'll review the problem described in your other thread and post an answer soon. In the meantime. please consider posting an answer and marking it as the accepted answer here so that it may benefit & help others visiting this thread in the future :)