New feature - setting the access-control-allow-origin HTTP header
3 Apr 2020
following on the recent announcement of IP restriction for paying customers, we’ve now added another customer only feature: the ability to specify an
access-control-allow-origin HTTP header per API key.
Here’s how you set the value:
Add the full domain (including
Then click “Save” and you are good to go. Our API will then soon begin
returning the specified value in the HTTP headers for API requests made with
that key. If we look at the headers returned by a valid API request (for example by using
$ curl -v) we see:
< HTTP/1.1 200 OK < date: Fri, 03 Apr 2020 12:16:53 GMT < server: Apache < access-control-allow-origin: https://thegeomob.com < vary: Accept-Encoding < transfer-encoding: chunked < content-type: application/json; charset=utf-8 < strict-transport-security: max-age=31536000; includeSubDomains; preload
It’s very important to note that specifying a value for the
access-control-allow-origin header does NOT prevent others from abusing your
API key, it just makes it harder for them to use the key for AJAX requests.
Setting this header is just one of many steps you should take to protect your API key, please see our full list of recommendations.
You can read more about CORS and this header in the relevant section of our API docs.
CORS is not particularly intuitive, it is easy to confuse it with referer blocking, which it is not. Please get in touch if you are a customer and have questions, we are here to help.