Identifying Origins for the cors.allowed.origins Initialization Parameter

The cors.allowed.origin parameter, used to configure the CORS filter, identifies the clients (origins) that are allowed to issue requests to the server. The code snippet provided in Configuring the CORS Filter shows an asterisk * as the value for this parameter, indicating that a request can come from any origin. For security purposes, this value should be set to the one or more specific request origins that the server supports.

Defining an Origin

Use the following format for each origin added:

Origin: <scheme> "://" <hostname> [ ":" <port> ]

Note the following:

Use all lower case in the URL. The value is case-sensitive.
Be sure to include the port number, as it is required. However, you do not have to include the port number if it is known to be configured as part of host name.
The host name can be the fully qualified domain name (FQDN).
When specifying multiple origins, separate them with commas, as in this example:

Origin: http://www.machine123.org:8080, http://www.machine1000.smc.com:8080

Example Origin Formats

The following are examples of origin formats:

http://www.w3.org (port known to be configured with hostname)
https://www.apache.org (port known to be configured with hostname)
http://www.abc.domain.com (port known to be configured with hostname)
http://<origin_Machine_hostName>:8080
https://<FQDN(fully_qualified_domain_name)>:8080
http://<origin_host_IP_address>:8080

Defining an Origin​

Example Origin Formats​

Defining an Origin

Example Origin Formats