Wednesday, October 30, 2019

Cross Origin Resource Sharing (CORS)

Usually our Pega application would be hosted on a server which has a domain (https://SampleDomain1). And all the resources which our Pega application needs would reside in the same server location and can be accessed via URL from browser.

Assume that there is a scenario where our Pega application would need to invoke the URL of other domain to load some details.That means a redirect should happen from Pega application to other domain URL. For security reasons, this would be disabled by default.

This scenario cries for a resource to be shared across multiple domains(origins). And that is called Cross Origin Resource Sharing (CORS).

Note: Origin is a term we can use to refer to the request origin.


To allow a user already in https://SampleDomain1 to be redirected to https://SampleDomain2, configuration needs to be made at SampleDomain2 to allow requests from SampleDomain1 (by using whitelisting method).


SampleDomain2 should whitelist by using the below HTTP header.
Access-Control-Allow-Origin : https://SampleDomain1

Note: Access-Control-Allow-Orgin : * would mean that any resource can access it. And this could lead to other security issues.

Pega made this simple by introducing a rule under security category : "Cross Origin Resource Sharing". Login to Designer Studio and navigate to Records >> Security >> Cross Origin Resource Sharing (as highlighted in below screenshot).

In my next post: I would have a real-time usecase which would demonstrate the same. In the mean-time you can explore the HTTP header Access-Control-Allow-Orgin. - It would become interesting if you use Fiddler/Developer Tools >> Network to look into HTTP requests which involves cross domain for this header. Thank you!

Thank you!


  1. Hi Pavan
    Can you please explain about this Scenarios with screenshots example

    1. Sure. Thanks for the feedback. I would post in couple of weeks, and would tag it to this post.


HowToPega : All rights reserved and the contents are copyrighted to Pavan Kumar Naidu