Skip to main content

This content has been archived and is no longer being updated. Links may not function; however, this content may be relevant to outdated versions of the product.

Support Article

Error with access control while REST service is accessed from JS



A Cross-Origin Resource Sharing (CORS) error regarding access control checks occurred when Pega REST service was accessed from JavaScript or JQuery of a different domain.

Error Messages

XMLHttpRequest cannot load Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'null' is therefore not allowed access.

Steps to Reproduce

1. Create REST Service.
2. Access from different domain.

Root Cause

As per CORS specifications:

A resource makes a cross-origin HTTP request when it requests a resource from a different domain than the one which served itself.

For example, an HTML page served from makes an image request for

Many pages on the web load resources such as CSS, images, and scripts from separate domains. In this case it is Triak.htm

User want to create some custom API for Rest Service. It is verified from the DSS settings, by default there are 3 settings, but user has 6, out of which 3 for their custom API's.
  Following dynamic system setting rules are used to configure the origins, headers, and  max age respectively. These rules should be defined in Pega-API ruleset.


Pega does not support custom Pega Rest Services.

An enhancement request, FDBK-15480, has already been raised.


Suggest Edit

Published December 27, 2016 - Updated October 8, 2020

Did you find this content helpful? Yes No

100% found this useful

Have a question? Get answers now.

Visit the Collaboration Center to ask questions, engage in discussions, share ideas, and help others.

We'd prefer it if you saw us at our best.

Pega Community has detected you are using a browser which may prevent you from experiencing the site as intended. To improve your experience, please update your browser.

Close Deprecation Notice
Contact us