CORS Initialization Parameters
The following provides more information about the initialization parameters used to define in the CORS filter set up for use by Code Insight. These parameters can be adjusted for Code Insight installed at your site.
| Initialization Parameter | Definition | 
|---|---|
| <filter> <filter-name>CorsFilter</filter-name> <filter-class><br /> org.apache.catalina.filters.CorsFilter </filter-class> </filter><br /> ... <filter-mapping> <filter-name>CorsFilter</filter-name> <url-pattern>/*</url-pattern> </filter-mapping> | The basic code that enables the CORS filter. The filter adds the appropriate Access\-Control\-* headers to responses and issues the 403 return code when a request is invalid or not permitted. | 
| cors.allowed.origins | The origins (clients) whose requests the server will accept. For security purposes, you should replace the asterisk * value (shown for this parameter in the code snippet provided in Configuring the CORS Filter) with the URL for each specific origin accepted by the server. For details, see Identifying Origins for the cors.allowed.origins Initialization Parameter. | 
| cors.allowed.methods | The HTTP methods that are allowed in cross-origin requests to access Code Insight data. The value in the provided code snippet (see Configuring the CORS Filter) permits all methods, but you can adjust this list according to your site’s requirements. (The default methods include GET, POST, and HEAD.) The HEAD method is used to retrieve only headers from the server, similar to a GET but with no message body returned. The listed methods are included as part of the Access\-Control\-Allow\-Methodsheader in the pre-flight response so that the client knows which methods are allowed. | 
| cors.allowed.headers | The HTTP request headers allowed in actual requests. Be sure to include the Authorizationheader, which is required for Code Insight REST API calls. Additionally, for POST or PUT requests, theContent\-Typeheader needs to be passed along withAuthorizationheader. The headers specified here are returned as part of theAccess\-Control\-Allowed\-Headersheader in the server’s response to a pre-flight request, informing the client which headers are allowed in requests. | 
| cors.exposed.headers | (Not shown in the code snippet) The specific headers that can be exposed to the client as part of the response, enabling the client to then use these headers. These headers are returned as part of the Access\-Control\-Expose\-Headersheader in the Core Server’s response to a pre-flight request. | 
| cors.preflight.maxage | The maximum number of seconds that the results of the pre-flight request can be cached. (The results include the information contained in the Access\-Control\-Allow\-MethodsandAccess\-Control\-Allow\-Headersheaders.) The provided code snippet (see Configuring the CORS Filter) uses the value 86400, representing 24 hours, but you can adjust this value as needed. The CORS default value is 1800. |