Blog

Azure API Management: CORS policy in inbound and outbound sections, XML pitfalls, and developer portal testing

Apply cors() in the inbound pipeline for preflight; mirror headers on error responses via outbound policies.

Published: 2027-03-18Updated: 2027-03-201 min read

azureapi-managementcors

Products and subscriptions

Subscription keys in headers differ from browser-friendly flows—document which patterns your SPA may use.

Rate limit by subscription to isolate abusive origins.

Application Insights correlation IDs help trace APIM → backend latency separate from CORS overhead.

Enable request/response logging in non-production only to avoid leaking secrets.