Complete the code to set the HTTP method for a CORS preflight request in Postman.
pm.sendRequest({ method: '[1]', url: 'https://api.example.com/data' }, function (err, res) { console.log(res.status); });The CORS preflight request uses the HTTP OPTIONS method to check permissions before the actual request.
Complete the code to add the 'Origin' header in a Postman request for CORS testing.
pm.sendRequest({ url: 'https://api.example.com/data', method: 'GET', headers: { 'Origin': '[1]' } }, function (err, res) { console.log(res.headers.get('Access-Control-Allow-Origin')); });The Origin header should be set to the domain you want to test CORS permissions for, such as a trusted domain.
Fix the error in the Postman test script to correctly check if CORS allows the origin.
pm.test('CORS allows origin', function () { pm.expect(pm.response.headers.get('[1]')).to.eql('https://trusted.com'); });
The server sends the Access-Control-Allow-Origin header to indicate which origins are allowed.
Fill both blanks to create a Postman request that sends a custom header and checks if the server allows it via CORS.
pm.sendRequest({ url: 'https://api.example.com/data', method: 'GET', headers: { '[1]': 'customValue', 'Origin': 'https://trusted.com' } }, function (err, res) { pm.test('Server allows custom header', function () { pm.expect(res.headers.get('[2]')).to.include('[1]'); }); });The custom header is named X-Custom-Header. The server indicates allowed headers in Access-Control-Allow-Headers.
Fill all three blanks to write a Postman test that verifies the server supports credentials in CORS.
pm.sendRequest({ url: 'https://api.example.com/data', method: 'GET', headers: { 'Origin': '[1]' }, credentials: '[2]' }, function (err, res) { pm.test('CORS supports credentials', function () { pm.expect(res.headers.get('[3]')).to.eql('true'); }); });The Origin header is set to the trusted domain. The credentials option must be include to send cookies. The server indicates support with Access-Control-Allow-Credentials header set to 'true'.