Cloud Secure Edge Docs

CSE Home>  Private Resources>  Hosted Websites>  Cross-origin Resources (CORS)

Exemptions and Cross-origin Resource Sharing (CORS)

How to enable exemptions and CORS on a Cloud Secure Edge (CSE)-secured web service
Updated On: Jun 30, 2025
On This Page

Exemptions overview

In some scenarios, you may need to exempt specific URLs or source IPs from Cloud Secure Edge (CSE) security policies that manage access to a web service. Admins can add access permission exemptions to do this.

CSE allows you to create exemption rules that target the following network request properties:

  • By Origin Header: Exempt requests originating from a specific URL (e.g.,https://console.website.corp.com:443 )

  • By Target Domain: Exempt requests targeting a specific URL (e.g.,https://public.website.corp.com:443 )

  • By Method: Exempt ORIGIN, HEAD, GET, POST, PUT, and/or DELETE requests

  • By Mandatory Headers: Exempt requests that have specific headers

  • By Paths: Exempt requests targeting specific paths (e.g., /web/public)

  • By Source CIDRs: Exempt requests originating from specific IPs (e.g., from a corporate office)

CORS overview

Another common scenario requiring exemptions is related to CORS requests. Cross-Origin Resource Sharing (CORS) allows JavaScript on a web page served on an origin domain to make XML HTTP Requests (XHR a.k.a AJAX) for resources from an external domain, outside of the origin domain.

For example, a web app served on the origin domain, domain-a.com is always allowed to make same-origin requests to resources served on domain-a.com. However, requests to resources on the external domain, domain-b.com are cross-origin.

There are two types of CORS requests:

  • Simple CORS Requests: do not trigger a preflight sequence using the HTTP OPTIONS method.

  • Preflighted CORS Requests: trigger a preflight sequence from the browser to the external domain via the HTTP OPTIONS method. This OPTIONS preflight sequence establishes what methods and headers are supported by the external domain.

Most modern CORS scenarios are Preflighted and involve a preflight sequence via the HTTP OPTIONS method. Furthermore, by default, browsers do NOT send HTTP Cookies and HTTP Authentication headers when making CORS requests. Most modern CORS scenarios use the Requests With Credentials capability to enhance the security of CORS via authentication.

To enable the Requests With Credentials capability, two conditions must be met:

  1. The CORS server at the external domain must be configured to allow credentials via the Access-Control-Allow-Credentials header.

  2. The web application at the origin domain must make XHR CORS requests with the withCredentials property set.

The Access-Control-Allow-Credentials header works in conjunction with the XMLHttpRequest.withCredentials property so CORS requests can use credentials such as cookies, authorization headers, and TLS client certificates.

Chat