. . .



The Same-Origin-Policy (SOP) is an important security concept implemented in all web browsers. However, a script restricts the use of resources of its own website as well as limits the use of elements or resources from other websites and / or locations other than Origin. This measure safeguards you from other websites or application attacks.


Cross-Origin Resource Sharing (CORS) is a mechanism to enable Cross-Origin-Requests.

Extend the header to allow external website or application requests as well as approve external websites with the following parameters:

Access-Control-Allow-Origin: http://external.website.com

The external website can not be known beforehand. Therefore all websites should be allowed.

Access-Control-Allow-Origin: *

You can limit which hosts are allowed to be used as Origin in the ApiOmat Configuration.

Default Accept Headers

There are several default accepted headers, mostly required by browser requests:

Origin, Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers, Cache-Control, Expires, Last-Modified

Issues with Internet Explorer 8/9

Not all browsers fully support CORS and Internet Explorer 8 and 9 only partially support the feature. Hence, use the ApiOmat webhosting module for these browsers.

Webhosting module

With the Webhosting module you can host your website at ApiOmat. Starting from a simple static landing page for your product to a full-featured web frontend of your app – everything is possible. You can use HTML, CSS, Javascript files, images, and of course all sorts of binary data.with the exception of CGI scripts.

Execute all requests on the same domain, including Same-Origin-Policy since HTTPS protects all the requests.