Configuring cross-origin resource sharing (CORS)

Configure cross-origin resource sharing (CORS) to allow a web application from another origin to access resources on a Domino web server.

About this task

For security reasons, most browsers comply with the same-origin policy rule. This rule restricts a web page loaded from one origin from accessing resources on a different server (or origin). CORS allows you to define exceptions to the same-origin policy. Most browsers support CORS.

  • CORS is supported as of Domino 10.0.1 Fix Pack 2.
  • CORS is supported on Windows, Linux and IBM AIX. It is not supported on IBM i.

For example, assume a web application loaded from Server A (an Apache server) makes REST API requests to Server B (a Domino server). Configure CORS on Server B to allow a web page loaded from Server A to make REST API requests to Server B.

CORS works for Domino Access Services (DAS) APIs and other kinds of REST APIs hosted on Domino. Indeed, CORS works for any type of Domino HTTP resource.

Complete the following steps to configure CORS on a Domino server.


  1. Enable CORS in the Server document of the Domino server:
    Note: Alternatively, enable CORS in a Web site document (Configuration tab).
    1. Open the Server document in the Domino directory. (Configuration through Internet site document is not supported).
    2. Select the Internet Protocols > HTTP tab.
    3. In the DSAPI section, add the following value to the DSAPI filter file names field:
      • (Windows) ncorsext
      • (All other platforms) corsext
  2. Create a JSON file that defines the origins that can access the Domino server:
    Note: If you enabled CORS through a Web site document, complete this step and the next one on each server that is associated with the Web site.
    1. Create a new folder, cors, in the ...Domino\data\domino folder on the server.
    2. Create a new file cors-rules.json in cors folder.
    3. In cors-rules.json define the origins that the Domino server can access. For details, see CORS JSON configuration.
  3. Stop and restart the HTTP server task:
    tell http quit 
    load http  


The following message at HTTP server startup means that CORS is correctly configured:
HTTP Server: DSAPI CORS Filter Loaded successfully
The following message at HTTP server startup means that there is a problem with the CORS configuration:
HTTP Server: Failed to load DSAPI module ncorsext