Skip to main content
Cartegraph Campus

Cross-Origin Resource Sharing System Settings

You must have administrator rights to access this feature.

There are two system settings related to cross-origin resource sharing (CORS) used to determine which origins hosting web/browser applications are allowed to make requests to a Cartegraph Web server when their origins do not match. For example, a web/browser application hosted at making requests to a Cartegraph Web server hosted at

If you have a custom web application integrating with the Cartegraph REST API, you will probably need to its origin in order for the application to continue working with EnhancedAPISecurity enabled.


This system setting determines whether to check Rest API requests against the CORSAllowlist.

Set to true for new databases and new customers.

The setting is not changed for customer upgrades.

It is false on upgrade in order to not break any existing browser application integrations using the Cartegraph REST API after Cartegraph is upgraded. This allows time for Cartegraph administrators to configure the CORSAllowlist system setting with the origins they need to allow for their web application REST API integrations.


This system setting is a comma-delimited list of origins, where other web applications are hosted, and that are allowed to make incoming cross-origin http requests.

An origin is defined by the scheme (protocol), host (domain), and port of the URL used to access it. For example, a valid origin is where https is the scheme, is the host, and 443 is the default port for https.

Applicable requests from origins not listed in the allow list are added to the error log. View the error log to determine legitimate, known origins that should be allowed for REST API web application integrations. These requests are logged even with EnhancedAPISecurity set to false in order to help identify integrations before potentially breaking them when EnhancedAPISecurity is set to true. They can then be added to the allow list.

ArcGIS Allow Origins

This ArcGIS setting is a list of origins of other web applications that can communicate with the ArcGIS portal. Cartegraph suggests leaving Allow Origins blank. If the setting is blank, the ArcGIS portal will able to communicate with any web application, including Cartegraph OMS and Cartegraph One. If your GIS administrator chooses to add an Allow Origin setting, your Cartegraph OMS base URL is required for all Cartegraph products to work properly. Esri Proxy also needs to be set up by Cartegraph's service department for Cartegraph One to work properly.