Accela API supports Cross-Origin Resource Sharing (CORS) requests which allow cross-domain communication between a browser and the server. When the originating site sends a request from a browser that supports CORS to the Accela API server, the browser appends the Origin HTTP request header before sending the request to the server. In response to the cross-domain request, the Accela API returns Access-Control HTTP headers to the originating site.
A use case is when a web site, which is limited by the web application security model's same-origin policy, enables CORS to securely access data returned by the Accela API on https://apps-apis.dev.accela.com. For example, if an agency web application bound by a security policy that limits its access within the same domain needs to call Accela Construct API on the Accela-hosted server, the agency web application can enable CORS support on its client server before making Accela API calls. If a sample originating site is http://www.myAgencySite.com, the browser adds the following request header:
Origin: http://www.myAgencySite.com
The server checks the validity of the origin site. If the origin is valid, the server sends the Access-Control-Allow-Origin HTTP response header with the Origin value (or “*” for a public resource). Accela API returns the following Access Control HTTP response headers:
HTTP Response Header |
Description |
Access-Control-Allow-Origin |
Returns the origin site if allowed (for example, http://www.clientSite.com; otherwise returns null. If the resource is available to the public, “*” is returned. |
Access-Control-Allow-Credentials |
Returns true indicating that the actual request can include user credentials. |
Access-Control-Expose-Headers |
Returns the header names that can be exposed, such as x-accela-traceId |
See the W3C CORS specifications for more details about cross-origin requests and CORS response headers.