CORS support

Cross-origin resource sharing provides a way to use Apiary Mock Server directly from your in-browser application.

By default, we are not altering your traffic in any way. Therefore, please go to settings in your API and turn CORS settings on there. 

How does it work?
  • If it's not specified, OPTIONS method is defined for every resource created by you, so your mock server will automatically handle all pre-flight requests
  • Access-Control-Allow-Origin is set to the value that has been provided in request Origin header. If not present, star ("*") is used
  • If Access-Control-Allow-Headers was present in request, it is also returned in response
  • Access-Control-Allow-Methods defaults to OPTIONS, HEAD, TRACE, CONNECT plus whatever methods are defined on given path in your blueprint.

Notably, for security reasons, we are intentionally not returning "Access-Control-Allow-Credentials" header that may be needed for some of your CORS requests. 

If you need it (or you need to modify any other behaviour), you can always define your own OPTIONS method in API Blueprint and return your own headers.

Also note that we are not touching your requests in proxy mode: your server has to implement its CORS policy correctly on its own.

Feedback and Knowledge Base