<style>p { margin: 0; }span.fr-emoticon.fr-emoticon-img { background-repeat: no-repeat !important; font-size: inherit; height: 1em; width: 1em; min-height: 20px; min-width: 20px; display: inline-block; margin: -0.1em 0.1em 0.1em; line-height: 1; vertical-align: middle; } span.fr-emoticon { font-weight: normal; font-family: "Apple Color Emoji", "Segoe UI Emoji", "NotoColorEmoji", "Segoe UI Symbol", "Android Emoji", "EmojiSymbols"; display: inline; line-height: 0; } blockquote { border-left: solid 2px #5e35b1; color: #5e35b1; margin-left:0; padding-left:5px;}blockquote blockquote{ border-color: #00bcd4; color: #00bcd4;}blockquote blockquote blockquote{ border-color: #43a047; color: #43a047;} table.grid{ border-collapse: collapse;} table.grid td, table.grid th { border: 1px solid #ddd;} .fr-fic.fr-dib{ display: block; margin: 5px auto;}.fr-fic.fr-dib.fr-fir{ text-align: right; margin: 5px 0 5px auto;}.fr-fic.fr-dib.fr-fil{ text-align: left; margin: 5px auto 5px 0;}</style><p id="isPasted">By default, the CORS policy on all Halo web apps is a wildcard that allows all.</p><p><br></p><p>To enable a stricter CORS policy to block requests from other origins, follow the below.</p><p><br></p><p>In appsettings.json in the API and Auth Server add &quot;UseCorsPolicy&quot;: true.</p><p><br></p><p>Also, add &quot;CorsWhiteList&quot; as an array of strings. Enter the hostname of each origin you would like to be able to access. The web app and portal must be included in this list if they do not have the same origin as the API application otherwise they will be blocked.</p><p><br></p><p>E.G</p><p><img src="http://halo.haloservicedesk.com/api/attachment/image/f19b4b0a-f7f0-40a8-aed5-33140d463464" class="fr-fic fr-fil fr-dib" width="378" height="125"></p><p><br></p><p>NB. If customer is using &#39;localhost&#39; (i.e. their instance is On-Prem for the local network, a port must be specified for it to work). Example localhost:443</p>