You are an API developer for a large manufacturing company.
You have developed an API resource that adds new products to the distributor's inventory using a POST HTTP request.
It includes an Origin header and accepts application/x-www-form-encoded as request content type.
Which response header will allow access to this resource from another origin?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer: A.
For simple cross-origin
POST.
method requests, the response from your resource needs to include the header
Access-Control-Allow-Origin.
, where the value of the header key is set to
'*'
(any origin) or is set to the origins allowed to access that resource.
When a browser receives a non-simple HTTP request, the CORS protocol requires the browser to send a preflight request to the server and wait for approval (or a request for credentials) from the server before sending the actual request.
The preflight request appears to your API as an HTTP request that:
Includes an
Origin.
header.
Uses the
OPTIONS.
method.
Includes the following headers:
Access-Control-Request-Method.
Access-Control-Request-Headers.
Option A is CORRECT as the POST request satisfies the condition for a simple cross-origin request.
So allowing the Access-Control-Allow-Origin header will make it so that it can be accessed from other origins.
Option B is incorrect as this option will not allow the resource to be cross-origin.
This header is a part of enabling CORS support for a complex HTTP request.
Option C is incorrect as this option will not allow the resource to be cross-origin.
This header is a part of enabling CORS support for a complex HTTP request.
Option D is incorrect but is the next closest answer.
The question reads which header and not headers.
Reference:
https://docs.aws.amazon.com/apigateway/latest/developerguide/how-to-cors.htmlThe correct answer is A. Access-Control-Allow-Origin.
Explanation: Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that restricts web pages from making requests to a different domain than the one that served the web page. CORS is a security feature that prevents malicious scripts from exploiting a website's data and APIs.
When a web page makes a request to an API resource on a different domain, the web browser sends a preflight request to the API resource before sending the actual request. The preflight request is an HTTP OPTIONS request that includes the Origin header and other headers that the client intends to send with the actual request.
In response to the preflight request, the server should send a response header that indicates which origins are allowed to access the API resource. The Access-Control-Allow-Origin response header specifies the origins that are allowed to access the resource. If the server sends a wildcard (*) value, then any origin can access the resource.
The Access-Control-Request-Method header is sent in the preflight request and specifies the HTTP method (e.g., GET, POST, PUT, DELETE) that the client intends to use for the actual request. The Access-Control-Allow-Methods header in the response specifies which HTTP methods are allowed.
The Access-Control-Request-Headers header is sent in the preflight request and specifies which custom headers the client intends to send with the actual request. The Access-Control-Allow-Headers header in the response specifies which custom headers are allowed.
Therefore, the correct answer is A. Access-Control-Allow-Origin, as it is the response header that allows access to the API resource from another origin.