Skip To Content

Restricting cross-domain requests to ArcGIS Server

By default, ArcGIS Server allows cross-domain requests so Javascript clients can invoke the server's services from any domain.

If you want to restrict requests to specific domains for Javascript applications, you can configure ArcGIS Server to trust only certain domains. You'll do this using the ArcGIS Server Administrator Directory.

Restricting requests from Javascript applications

By default, ArcGIS Server allows all Javascript applications access to web services. If you want to prevent usage of your web services by certain Javascript applications hosted on other domains, you can configure ArcGIS Server to include a list of only the domains you trust. This reduces the possibility that an unknown application could send malicious commands to your web services.


Requests sent through a web server, reverse proxy, or load balancer that does not have any restriction of hosts allowed to make CORS requests will appear to be allowed from hosts denied in ArcGIS Server's AllowedOrigins. You will need to configure the web server, reverse proxy, or load balancer to follow the same restrictions as your ArcGIS Server site.

  1. Open the ArcGIS Server Administrator Directory and log in with a user that has administrative access to the server. The URL is formatted
  2. Click system > handlers > rest > servicesdirectory.
  3. On the Services Directory page, click edit.
  4. In the AllowedOrigins field, specify a comma-separated list of machines and their domain names that are allowed to access your web services, for example,,,

    Use of the * wildcard character as a substitute for the machine name is not supported. You must specify the fully qualified domain name of the machine in the list.

  5. Click Save.