The Web API supports configuration of CORS policies for requests originating from JavaScript running in a browser. By default, the WebApi allows requests from all origins.

To restrict access to JavaScript hosted on the same server as the Web API, set the AllowAll property to False.

To restrict access to specific origins, set the AllowAll property to False, and then list the specific origins as properties under \Site\Properties\WebApi\Cors\AllowedOrigins.