Where to put / configure CORS header Access-Control-Expose-Headers in WSO2 API Manager

Question

I am having a problem with accessing my response headers under CORS scenario. I am doing a CORS call. So, I configured my API configuration in API Manager to accept CORS requests (that is, CORS is enabled for my REST endpoint).

But when my app (Angular2 app) does a post request it (http.post) does not see the response headers. I checked in Chrome Devtools what the browser is receiving by the remote server and it turned out that all expected response headers are received in the browser. Apparently, Angular does not pass it to my code and I am not able to access the headers. Gunter, suggested me to check for the CORS header

Access-Control-Expose-Headers

My question: Where can I tell WSO2 API Manager to pass pass or set this header when CORS is enabled? I tried in api-manager.xml but I did not see the expected header (in my case the header 'Location') after a restart.

Angular2 's Http.post is not returning headers in the response of a POST method invocation

Answer 1

APIM out-of-the-box supports Access-Control-Allow-Headers but not Access-Control-Expose-Headers.

But you can configure APIM to send that header as well. For that, you create a sequence like below and attach it to your API.

<sequence xmlns="http://ws.apache.org/ns/synapse" name="_cors_request_handler_">
     <property name="Access-Control-Expose-Headers" value="Location"  scope="transport" type="STRING"/>
</sequence>

This doc explains how to engage such a sequence file to a particular API or globally to all APIs.

[Update - 2019]

Now APIM by default has a CORS sequence in sequence directory. You can update that accordingly.

And APIM 3.0 supports Access-Control-Expose-Headers out of the box.