Skip To Content

Restrict cross-domain requests to your portal

By default, an ArcGIS Enterprise portal allows cross-domain requests via Cross-Origin Resource Sharing (CORS). This means a JavaScript client such as a web application hosted on any domain can connect to your portal's resources.

If you want to restrict requests from specific domains for JavaScript applications, you can configure your portal to only trust certain domains. You'll do this by adding domain names to the list of allowed origins in your ArcGIS Enterprise portal's security settings. This reduces the possibility that an unknown application could send malicious commands to your web services.


If incoming CORS requests go through a reverse proxy, a load balancer, or an additional web server prior to reaching your portal, the restrictions made using the following steps may not be honored. In these cases, you will need to configure the reverse proxy, load balancer, or web server to follow the same restrictions as your portal.

  1. Log in to your portal as an administrator.
  2. Click Organization > Settings > Security.
  3. Scroll down to Allow Origins.
  4. Enter the domain name of the site hosting the web application that needs access to items on your portal. The protocol (http or https) must be included with the domain name, such as

    Use of the * wildcard character as a substitute for the machine name is not supported. You must specify the fully qualified domain name of the machine in the list.

  5. Click Add Domain to add the site to the list. Once you've added one or more domains, the portal will only accept CORS requests from those specified domains. Repeat this for each site you want to be able to send requests to your portal.
  6. When you're finished adding domains, click Save.