![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(99.2, 53%, 19%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENS%3C/text%3E%3C/svg%3E)
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,902 questions
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(0, 59%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJM%3C/text%3E%3C/svg%3E)
@Nadide, Shekhar Reddy Thanks for reaching out. To enable CORS for your API in APIM, you can use the cors policy in your inbound policy. The cors policy allows you to specify the allowed origins, methods, headers, and credentials for your API. please refer: https://video2.skills-academy.com/en-us/azure/api-management/cors-policy
Here is an example policy snippet that demonstrates how to use the cors policy:
<inbound>
<cors>
<allowed-origins>
<origin>http://example.com</origin>
</allowed-origins>
<allowed-methods>
<method>GET</method>
<method>POST</method>
</allowed-methods>
<allowed-headers>
<header>Content-Type</header>
</allowed-headers>
<allow-credentials>true</allow-credentials>
</cors>
</inbound>
This policy snippet sets the allowed origins to http://example.com, the allowed methods to GET and POST, and the allowed headers to Content-Type. It also allows credentials to be included in the request by setting allow-credentials to true.
Regarding pre-flight calls, APIM automatically handles pre-flight requests by responding with the appropriate CORS headers. When a pre-flight request is received, APIM checks the Access-Control-Request-Method and Access-Control-Request-Headers headers to determine the allowed methods and headers for the API. It then responds with the appropriate Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers headers.
Regarding authentication for pre-flight calls, it is not necessary to enable authentication for pre-flight requests. Pre-flight requests are sent by the browser to determine whether the actual request is safe to send. They do not include any user credentials or sensitive information, and are not used to actually send data to the server. Therefore, it is safe to allow pre-flight requests without authentication.
do let me know incase of further queries, I would be happy to assist you.
Please accept as Yes if the answer provided is useful, so that you can help others in the community looking for remediation for similar issues.