Reputation: 21
Proper way to enable CORS on Restler 3 API
Restler3 is truly incredible!
We have a "public" API, a "management" API with API_KEY based Access Control, and we would like another API protected by CORS (no API_KEY).
The new CORS protected API would be used to protect all of our javascript ajax calls. We want to centralize all of the ajax server-side code into one API with consistent entry and exit points.
We have set the following Restler defaults.
Defaults::$crossOriginResourceSharing = true;
Defaults::$accessControlAllowOrigin = 'https://www.mydomain.com';
Is this the correct technique?
How do we confirm the security is working properly?
For reference, here is the index.php that we have created for this new API.
// get the document root from apache and make sure that there is a trailing slash
$document_root = rtrim($_SERVER['DOCUMENT_ROOT'], '/') . '/';
// autoload Restler
// note: this code was provided by Arul to address issues with autoloading Swift and Aws
$loader = require_once $document_root . 'vendor/autoload.php';
$loader->setUseIncludePath(true);
class_alias('Luracast\\Restler\\Restler', 'Restler');
// import namespaces
use Luracast\Restler\Defaults;
use Luracast\Restler\Restler;
// setup versioning
Defaults::$useUrlBasedVersioning = true;
// setup CORS on this API
Defaults::$crossOriginResourceSharing = true;
Defaults::$accessControlAllowOrigin = 'https://www.mydomain.com';
// instantiate restler
$r = new Restler();
// support both Json and Xml formats
$r->setSupportedFormats('JsonFormat', 'XmlFormat');
// api version
$r->setAPIVersion(1);
// create resources.json at API Root for use by API Explorer
$r->addAPIClass('Luracast\\Restler\\Resources');
// autoload the Diagnostics class in the v1 folder
$r->addAPIClass('Diagnostics');
// start
$r->handle();
Response Headers.
Date: Tue, 15 Oct 2013 17:50:12 GMT
X-Powered-By: PHP/5.3.27
Connection: Keep-Alive
Content-Length: 50
Server: Apache
Content-Type: text/html
Keep-Alive: timeout=5, max=94
Upvotes: 1
Views: 1092
Answers (1)
Reputation: 993
Yup, You are doing it right for CORS
For testing it try calling the api method through javascript. If it works for a domain which is not enabled, that shows its not working
Similarly if it does not work for a domain that is enabled, that is wrong too
Upvotes: 1
Related Questions
- Enabling CORS for Cowboy REST API
- Enable CORS in JIRA REST API
- How to enable CORS in nginx
- How to enable CORS?
- Enabling CORS on nginx
- Enable and configure cors in Drupal
- How to enable CORS properly in Spring Restfull WebService?
- Correct way to add Restlet 2.3 CORS
- How to use CORS in Restlet 2.3.1?
- Enabling CORS on an API