Currently, the Acces-Control-Allow header is hardcoded to a * return value, i.e. the API can be called from any website. While this is a sane default, it might not be wanted in every case. The header value sent should be configurable via setting (assuming a global value for all controllers).
Currently, the Acces-Control-Allow header is hardcoded to a
*return value, i.e. the API can be called from any website. While this is a sane default, it might not be wanted in every case. The header value sent should be configurable via setting (assuming a global value for all controllers).