Skip to main content
Cartegraph Campus

Cross-Origin Resource Sharing System Settings

You must have administrator rights to access this feature.

There are two system settings related to cross-origin resource sharing (CORS) used to determine which origins hosting web/browser applications are allowed to make requests to a Cartegraph Web server when their origins don't match. For example, a web/browser application hosted at making requests to a Cartegraph web server hosted at

If you have a custom web application integrating with the Cartegraph REST API, you will probably need to whitelist its origin in order for the application to continue working with EnhancedAPISecurity enabled.


This system setting determines whether to check Rest API requests against the CORSWhitelist.

Set to true for new databases and new customers.

Set to false for existing client upgrades.

It is false on upgrade in order to not break any existing browser application integrations using the Cartegraph REST API after Cartegraph is upgraded. This allows time for Cartegraph administrators to configure the CORSWhitelist setting with the origins they need to allow for their web application REST API integrations.


This system setting is a comma-delimited list of origins, where other web applications are hosted, and that are allowed to make incoming cross-origin http requests.

An origin is defined by the scheme (protocol), host (domain), and port of the URL used to access it. For example, a valid origin is where https is the scheme, is the host, and 443 is the default port for https.

Applicable requests from origins not listed in the whitelist are added to the error log. View the error log to determine legitimate, known origins that should be allowed for REST API web application integrations. These requests are logged even with EnhancedAPISecurity set to false in order to help identify integrations before potentially breaking them when EnhancedAPISecurity is set to true. They can then be added to the whitelist.