Cross Origin Resource Sharing (CORS)

Cross-origin resource sharing (CORS) policies are used to control how other systems or websites (origins) are allowed to access resources (APIs and services) provided by your application. For example, Pega Platform uses CORS policies to restrict which Pega Robotic client applications can connect to your Pega applications, and to limit which mobile apps can call Pega mobile services.

Using CORS policies results in reduced costs and implementation times while providing increased security as other systems or websites interact with your application.

To configure a CORS policy, you complete two main tasks:

  • Define the CORS policy for an API or REST service by specifying the allowed origins, allowed headers, exposed headers, allowed methods, credential usage, and preflight expiration time.
  • Map the CORS policy to an endpoint (URL or path), for the API or REST service that you want to protect.


Use the Cross Origin Resource Sharing (CORS) form (Create > Security > Cross Origin Resource Sharing) to create or modify CORS policies.

Use the Records Explorer to list all CORS policies that are available to you.

You must have valid security privileges ( pzCanManageSecurityPolicies ) to create or modify CORS policies.


CORS policies are instances of the Data-Admin-Security-CORSPolicy class.

They are part of the Security category.