# How to use the CORS policy on the Digibee Integration Platform

**CORS (Cross-Origin Resource Sharing)** is a security policy implemented by web browsers that allows a server to restrict which origins can access its resources through HTTP requests.

Using CORS is recommended whenever a web application needs to make HTTP requests to resources located on a different domain or port from where the application is hosted. This helps protect the server from malicious attacks that might attempt to access resources inappropriately.

## How it works

When a web page makes a request to a different domain, the browser will first send a **Preflight request** to that domain's server. In this “test request”, the server responds with a set of headers indicating whether the request is allowed. If the request is permitted, the browser proceeds with the actual request.

### Headers

Some of the most common headers used in CORS include:

* **Access-Control-Allow-Origin**: Specifies which origins are allowed to access the resource. It can be a single value (value: `*`), allowing any origin to access the resource, or a list of specific domains. 
* **Access-Control-Allow-Methods**: Specifies which HTTP methods are allowed for the resource request (for example, `GET`, `POST`, `DELETE`). 
* **Access-Control-Allow-Headers**: Specifies which custom headers are allowed in the resource request. This is necessary for sending custom headers like `Authorization`. 
* **Access-Control-Expose-Headers**: Specifies which custom headers are exposed in the resource response. 
* **Access-Control-Allow-Credentials**: Specifies whether the resource can be accessed with credentials (for example, cookies, authorization headers, and so on) from the requesting origin. 

## CORS on the Digibee Integration Platform

The CORS policy is available for the following triggers:

* [**HTTP**](/documentation/connectors-and-triggers/triggers/web-protocols/http.md)
* [**HTTP File (Download and Upload)**](/documentation/connectors-and-triggers/triggers/web-protocols/http-file.md)
* [**REST**](/documentation/connectors-and-triggers/triggers/web-protocols/rest.md) 

CORS can be configured individually within pipelines, or globally for the entire realm through the [Global CORS Configuration.](/documentation/developer-guide/platform-administration/governance/policies/transformation/cors-http-header.md)

## Example

### CORS policy configuration in a pipeline trigger

For this example:

* The [**REST Trigger**](/documentation/connectors-and-triggers/triggers/web-protocols/rest.md) is configured with the `GET` and `OPTIONS` methods.
* During setup, CORS is enabled and the CORS headers are defined as follows:
  * **Access-Control-Allow-Origin** to allow any origin (value: `*`).
  * **Access-Control-Allow-Methods** to allow only the `GET` method.
  * **Access-Control-Allow-Headers** to allow requests containing only the headers `Authorization`, `Content-Type`, and `apikey.`

<figure><img src="/files/Ggt5wyeRYKHPB9blgfbk" alt=""><figcaption></figcaption></figure>

<details>

<summary>Example 1: Successful request (authorized by the browser)</summary>

A request is made through Google Chrome using the `GET` method and the headers `Content-Type` and `apikey`.

<figure><img src="/files/vRfW3hNcrefVC9xqdwVM" alt=""><figcaption></figcaption></figure>

The browser sends a **Preflight** request to the Digibee endpoint using the `OPTIONS` method, which returns the CORS headers. Since the request complies with the CORS policy configured in the pipeline trigger, the `GET` request is authorized.

<figure><img src="/files/e2YxpJiMRjWchGP3l2PB" alt=""><figcaption></figcaption></figure>

The `GET` request returned successfully and it’s now possible to continue with the normal pipeline flow.

</details>

<details>

<summary>Example 2: Unsuccessful request (denied by the browser)</summary>

The same request is made, but this time with an additional header: `test`.

<figure><img src="/files/58nDQOkfyB6JodUhHzcs" alt=""><figcaption></figcaption></figure>

Since the `test` header is not authorized in the CORS configuration, the request is blocked by the CORS policy and the `GET` request will not get to Digibee.

<figure><img src="/files/JohPeMFYWyBGOS2Qzqvw" alt=""><figcaption></figcaption></figure>

</details>

<details>

<summary>Example 3: Unsuccessful request (denied by the browser)</summary>

In this case, the headers comply with the CORS policy, but the `POST` method used in the browser request is not configured in the trigger. This results in a **404 Not Found** error.

<figure><img src="/files/n8Bgu16TWEA3suAhr9Bz" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/ZrLsPVks4GSPr7VCVDxK" alt=""><figcaption></figcaption></figure>

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.digibee.com/documentation/troubleshooting/integration-guides/how-to-cors-policy.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.