Set up HTTP headers in Power Pages

The cross-origin resource sharing (CORS) protocol consists of a set of headers that indicates whether a response can be shared with another domain. You can configure CORS support in Power Pages using the Portal Management app by adding and configuring the site settings.

The following site settings are used to configure CORS:

Site Setting Request Header Description
HTTP/Access-Control-Allow-Credentials Access-Control-Allow-Credentials The only valid value for this header is true (case-sensitive). If you don't need credentials, omit this header entirely (rather than setting its value to false).
HTTP/Access-Control-Allow-Headers Access-Control-Allow-Headers A comma-delimited list of the supported HTTP request headers.
HTTP/Access-Control-Allow-Methods Access-Control-Allow-Methods A comma-delimited list of the allowed HTTP request methods such as GET, POST, OPTIONS.
HTTP/Access-Control-Allow-Origin Access-Control-Allow-Origin URL of the Microsoft Dataverse instance, such as To allow any URI to access your resources, use *.
HTTP/Access-Control-Expose-Headers Access-Control-Expose-Headers A comma-delimited list of HTTP header names other than the simple response headers that the resource might use and can be exposed.
HTTP/Access-Control-Max-Age Access-Control-Max-Age Maximum number of seconds the results can be cached.
HTTP/Content-Security-Policy Content-Security-Policy Controls resources the user agent is allowed to load for a given page.
HTTP/Content-Security-Policy-Report-Only Content-Security-Policy-Report-Only Allows web developers to experiment with policies by monitoring, but not enforcing, their effects. These violation reports consist of JSON documents sent via an HTTP POST request to the specified URI.
HTTP/X-Frame-Options X-Frame-Options Indicates whether a browser should be allowed to render a page in a <frame>, <iframe>, <embed> or <object>.
HTTP/X-Content-Type-Options X-Content-Type-Options Disables MIME sniffing and forces browser to use the type given in Content-Type.

Frequently asked questions

Is it possible to add a Cache-Control in http response header?

Cache-Control in http response header is added in all requests to the site, none of the Cache-Control directives are configurable. Cache-Control for anonymously accessible static files set to public. The max-age value is defaulted to 1 hour.

For more information about how to configure site settings in Power Pages, go to Manage site settings.