Configuring the REST API properties via panel.ini

Restricting Remote Access via REST API
Allowing HTTP

By default, REST API allows only HTTPS requests. HTTPS encrypts and secures the data sent via REST API. However, you can configure REST API to accept requests sent via plain HTTP. To do so, add the following lines to the panel.ini file:

[api]
allowPlainHttpAccess = on

Note: For security reasons, we do not recommend sending REST API requests via HTTP.

Disabling or limiting CORS

By default, REST API allows cross-origin resource sharing (CORS). To enhance security, you can completely disable CORS or restrict it to particular domains and HTTP methods. To disable CORS, add the following lines to the panel.ini file:

[ext-rest-api]
cors.enabled = off

If you do not want to completely disable CORS, you can restrict its usage to particular domains and methods. To do so, add lines of the following pattern to the panel.ini file:

[ext-rest-api]
cors.origin = domain_name
cors.methods = HTTP_method

For example, to accept cross-origin API requests only with the GET and POST methods and only from example.com, add the following lines to panel.ini:

[ext-rest-api]
cors.origin = example.com
cors.methods = GET,POST