Skip To Content

Restrict cross-domain requests to ArcGIS Server

By default, ArcGIS Server allows cross-domain requests so JavaScript clients can invoke the server's services from any domain.

If you want to restrict requests to specific domains for JavaScript applications, you can configure ArcGIS Server to trust only certain domains. Do this using the ArcGIS Server Administrator Directory.

Restrict requests from JavaScript applications

By default, ArcGIS Server allows all JavaScript applications access to web services. A property called AllowedOrigins controls this behavior (its default setting is the wildcard symbol *). If you want to prevent usage of your web services by certain JavaScript applications hosted on other domains, you can change the value of AllowedOrigins to include a list of only the domains you trust. This reduces the possibility that an unknown application could send malicious commands to your web services.


Requests sent through a web server, reverse proxy, or load balancer that does not have any restriction of hosts allowed to make CORS requests appear to be allowed from hosts denied by the AllowedOrigins property. You must configure the web server, reverse proxy, or load balancer to follow the same restrictions as your ArcGIS Server site.

  1. Open the ArcGIS Server Administrator Directory and log in with a user that has administrative access to the server. The URL is formatted
  2. Click system > handlers > rest > servicesdirectory.
  3. On the Services Directory page, click edit.
  4. In the AllowedOrigins field, specify a comma-separated list of machines and their domain names that are allowed to access your web services, for example,,,

    You cannot use the * wildcard character in the domain name as a substitute for the machine name, such as https://* You must specify the fully qualified domain name of each machine in the list.

  5. Click Save.