Skip To Content

Restrict cross-domain requests to your portal

By default, an ArcGIS Enterprise portal allows cross-domain requests via Cross-Origin Resource Sharing (CORS). This means a JavaScript client such as a web application hosted on any domain can connect to your portal's resources.

If you want to restrict requests from specific domains for JavaScript applications, you can configure your portal to only trust certain domains. You'll do this by adding domain names to the list of allowed origins in your ArcGIS Enterprise portal's security settings. This reduces the possibility that an unknown application could send malicious commands to your web services.

Note:

Settings for CORS headers implemented at the web adaptor, reverse proxy, or load balancer can interfere with Portal for ArcGIS settings defined by the Allow origins property. In most instances, it is recommended that you allow Portal for ArcGIS to manage sending the appropriate CORS headers based on the Allow origins property. This will ensure that multiple CORS headers are not returned to the browser, which will cause an error.

  1. Log in to your portal as an administrator.
  2. Click Organization > Settings > Security.
  3. Scroll down to Allow Origins.
  4. Enter the domain name of the site hosting the web application that needs access to items on your portal. The protocol (http or https) must be included with the domain name, such as https://webapp.domain.com.
    Note:

    Use of the * wildcard character as a substitute for the machine name is not supported. You must specify the fully qualified domain name of the machine in the list.

  5. Click Add Domain to add the site to the list. Once you've added one or more domains, the portal will only accept CORS requests from those specified domains. Repeat this for each site you want to be able to send requests to your portal.
  6. When you're finished adding domains, click Save.