Skip to main content

Why Does Galxe Need Cross-Domain Checks?

1. Ensure Target API Authorization

When Galxe calls third-party APIs from the backend, it is necessary to confirm whether these APIs have open access permissions. The CORS configuration authorizes access by returning the Access-Control-Allow-Origin header: Designated Source: Such as https://dashboard.galxe.com. Wildcard (*): Allows all sources, including Galxe.

2. Prevent Unauthorized Calls

CORS checks can prevent: Data Breach: Prevent unauthorized sources from accessing the API. Abuse of Functionality: Restrict the scope of API calls.

The Working Mechanism of CORS

1. Access-Control-Allow-Origin

The target API can be authorized in two ways: Designated Source: More stringent configuration, allowing requests only from Galxe. 
  access-control-allow-origin: https://dashboard.galxe.com
  • Wildcard (*): Allows cross-origin requests from all sources and meets authorization requirements.
access-Control-Allow-Origin: *

2. Access-Control-Allow-Methods

Specify the allowed HTTP methods, for example: 
access-control-allow-methods: GET, POST,OPTIONS

3. Preflight Request

Galxe requires that the target API supports OPTIONS requests to verify that the CORS configuration is correct.

Server Configuration Requirements

1. Example Configuration

The target API needs to support the following CORS configuration: Open Authorization: 
access-control-allow-origin: *
access-control-allow-methods: GET, POST,OPTIONS
Designated Source Authorization: 
access-control-allow-origin: https://dashboard.galxe.com
access-control-allow-methods: GET, POST,OPTIONS

2. Response to Preflight Request

The target server must appropriately respond to preflight requests: 
HTTP/1.1 204 No Content
access-control-allow-origin: *
access-control-allow-methods: GET, POST,OPTIONS

Testing and Verification

Recommended to Use curl Command 
// For GET
curl --head -X 'OPTIONS' -H 'Access-Control-Request-Headers: Content-Type' -H 'Access-Control-Request-Method: GET' -H 'Origin: https://dashboard.galxe.com' '$END_POINT_URL_WITHOUT_ADDRESS_REPLACED$'

// For POST
curl --head -X 'OPTIONS' -H 'Access-Control-Request-Headers: Content-Type' -H 'Access-Control-Request-Method: POST' -H 'Origin: https://dashboard.galxe.com' '$YOUR_URL_HERE$'
Correct Response Example 
HTTP/1.1 204 No Content
access-control-allow-origin: https://dashboard.galxe.com
access-control-allow-methods: POST,GET,OPTIONS

Frequently Asked Questions

1. Why Is Access-Control-Allow-Origin: * Allowed?

Because Galxe’s check only verifies whether the target API supports cross-origin, * indicates that all origins are authorized, including Galxe, which meets the requirements.

2. Why Did the Test Succeed but the Save Fail?

The target API may not be handling preflight requests correctly. Ensure that OPTIONS requests are supported and that a complete CORS configuration is returned.
I