Skip to content

Domain Control (CORS)

Backendless includes a special access control mechanism for restricting domain names and IP address from where an API or hosting request to Backendless may originate from. The mechanics of the feature rely on Cross-origin requests sharing (CORS). By default a Backendless backend data is available for all domains. This can be restricted using Backendless console:

  1. Log in to the Backendless Console and select your app.
  2. Click the Manage icon on the left menu.
  3. Scroll down to the Domain Control section.
  4. Type in a domain name or an IP address (one domain/IP address per line).
  5. Click the Save button to apply the changes.

Once a domain/IP address is added, Backendless will allow only requests originating from the specified hosts (or web pages loaded into a browser from the specified hosts). This applies to both API calls and requests sent to Backendless File Hosting (static and dynamic content).

For the scenario when the origin domain must be simulated (for instance, when you use "curl" for API calls), make sure to add the "Origin" header with a value added to the Domain Control list:

curl -H application-id:XXXX-XXXX-XXXXXXXXX -H secret-key:ZZZZ-ZZZZ-ZZZZZZZZZ -H Content-Type:application/json -H "Origin":""; -X POST -d "{\"foo\":\"999999\",\"bar\":\"DCC-5BB-APITEST001\"}" -v