REST API set Access-Control-Allow-Origin in response

I need to set Access-Control-Allow-Origin in response for my exposed REST API. I have tried to do it at Outsystems' customize response onResponse action by using the HTTPRequestHandler's AddHeader method. But the result will be having 2 Access-Control-Allow-Origin headers instead which will generate error.

You could use ListIndex to determine the index of the Access-Control-Allow-Origin header in the Response.Headers list.

If you have the index, you could then set the value of the Access-Control-Allow-Origin header directly by using something similiar to: Response.Headers[index].Value = "[RequiredValue]"

Hanno wrote:

You could use ListIndex to determine the index of the Access-Control-Allow-Origin header in the Response.Headers list.

If you have the index, you could then set the value of the Access-Control-Allow-Origin header directly by using something similiar to: Response.Headers[index].Value = "[RequiredValue]"

The Response does not have Response.Headers.  Only ResponseText and ResponseBinary are accessible.


If you add the OnAfterResponse Callbackto the consumed REST API, you should have access to the headers as per the below:

@Hanno what you mention is for consumed REST APIs, but this question is about an exposed one.

@Lavin you could clone the HTTPRequestHandler extension and change the code to add the header when it doesn't exist or update its value when it does. I was taking a look at the code and it seems to be pretty straight forward. Is this an option for you? Are you familiar with C# code?

Ah! I missed that!

@Lavin, try the SetHeaderValue action in the attached .oap in the OnResponse callback of your Exposed REST API and let me know if it solves your problem.

Hanno wrote:

@Lavin, try the SetHeaderValue action in the attached .oap in the OnResponse callback of your Exposed REST API and let me know if it solves your problem.

@Hanno Any chance I can use it in Outsystems 10? 


I do not have access to a P10 server, unfortunately. You might need to code it yourself. 

Are you comfortable with building/modifying an extension?

Lavin, try the attached?

Hanno wrote:

Lavin, try the attached?

Tried it but got error message "This operation requires IIS integrated pipeline mode". I am trying to solve that now.


Hanno wrote:

Lavin, try the attached?

@Hanno Tried the extension using the setHeader action. But the response still return the new  Access-Control-Allow-Origin header that I set and the default  Access-Control-Allow-Origin header set as *.

Lavin, I used the AddHeader action from HTTPRequestHandler in an API I exposed. 

The result is as below. I only get one Access-Control-Allow-Origin header with the value I set.

Hanno wrote:

Lavin, I used the AddHeader action from HTTPRequestHandler in an API I exposed. 

The result is as below. I only get one Access-Control-Allow-Origin header with the value I set.


My request header have an origin: https://localhost. If add that the additional Access-Control-Allow-Origin: * will appear.


It sounds like it might be an IIS config.

Can you perhaps see if your IIS is adding/sending any CORS headers?