From DreamFactory
Jump to: navigation, search

DreamFactory implements Cross-Origin Resource Sharing (CORS) as a system level web service. The Admin Panel has a simple interface that can enable any host domain to use the DreamFactory REST API. By default, CORS is turned off and the services are only available from the originating host.

DreamFactory supports granular configuration of CORS at HTTP Verbs and API level, meaning you can configure DreamFactory to allow a host to have controlled-access (GET, POST, PUT, PATCH, DELETE) for specific API paths only. This allows for enabling CORS for a specific service and does not expose the entire system over CORS.

Programmable CORS support prevents cross-site scripting attacks and use of the API from unauthorized sources, but still allows the administrator to add necessary exceptions and temporary allowances for testing, etc.