Skip To Content

Restrict cross-domain requests to ArcGIS Server

By default, ArcGIS Server allows cross-domain requests (CORS) so JavaScript clients can invoke the server's services from any domain.

To restrict requests to specific domains for JavaScript applications, you can configure ArcGIS Server to trust only certain domains. Do this using the ArcGIS Server Administrator Directory.

Restrict requests from JavaScript applications

By default, ArcGIS Server allows all JavaScript applications access to web services. A property named AllowedOrigins controls this behavior (its default setting is the wildcard symbol *). To prevent usage of your web services by certain JavaScript applications hosted on other domains, you can change the value of AllowedOrigins to include a list of only the domains you trust. This reduces the possibility that an unknown application could send malicious commands to your web services.

Note:

Settings for CORS headers implemented at the web adaptor, reverse proxy, or load balancer can interfere with ArcGIS Server settings defined by the AllowedOrigins property. In most instances, it is recommended that you allow ArcGIS Server to manage sending the appropriate CORS headers based on the AllowedOrigins property. This will ensure that separate CORS headers do not need to be defined for the web adaptor, reverse proxy, or load balancer. .

  1. Open the ArcGIS Server Administrator Directory and sign in with a user that has administrative access to the server. The URL is formatted https://gisserver.domain.com:6443/arcgis/admin.
  2. Click system > handlers > rest > servicesdirectory.
  3. On the Services Directory page, click edit.
  4. In the AllowedOrigins field, specify a comma-separated list of machines and their domain names that are allowed to access your web services, for example, https://machine.esri.com, http://host.arcgis.com, https://gisserver.example.com.
    Note:

    You cannot use the * wildcard character in the domain name as a substitute for the machine name, such as https://*.example.com. You must specify the fully qualified domain name of each machine in the list.

  5. Click Save.

Restrict cross-origin requests to OGC web service endpoints

  1. Browse to system > handlers > soap > soaphandlerconfig.
  2. On the SOAP Handler Config page, click edit.
  3. In the AllowedOrigins field, specify a comma-separated list of machines and their domain names that are allowed to access your web services through SOAP—for example, https://machine.esri.com, http://host.arcgis.com, https://gisserver.example.com.
    Note:

    You cannot use the * wildcard character in the domain name as a substitute for the machine name, such as https://*.example.com. You must specify the fully qualified domain name of each machine in the list.

  4. Click Save.