Skip to main content
Code42 Support

Configure the CORS domain whitelist for web applications

Applies to:
  • Code42 CrashPlan (previously CrashPlan PROe)


Typically, web requests are restricted to only the current domain, per the same-origin policy. Cross-origin resource sharing (CORS) allows for web requests from different domains. If you have a CORS-enabled web environment, you may want to restrict outside access to your Code42 server to only those requests originating from approved domains. This tutorial explains how to create a CORS whitelist of domains to accept web requests from.


  • Only domains that are absolutely needed for cross-origin communication should be whitelisted.
  • Extreme caution must be taken when specifying the domains in the whitelist because an overly permissive CORS policy may allow malicious applications to communicate with your application in an inappropriate way.
  • There are numerous Code42 API resources that support CORS that you can call from a domain added to the CORS whitelist.

Before you begin

Carefully consider the situations for which the whitelist is needed. For example, you want to enable cross-origin resource requests to support your company's internal application so that it can consume Code42 APIs that are on different DNS domains. The whitelist should restrict domains as narrowly as possible to allow access only to those domains needed for these requests.

Carefully planning the domains needed in the whitelist will ensure secure access to your Code42 environment.

Create the CORS whitelist

  1. Sign in to the administration console.

  2. Double-click the logo in the upper-left corner of the administration console.
    The command-line interface appears in the administration console.
  3. To view the current CORS whitelist setting in your Code42 environment, enter the following command: c42.private.server.cors.domain.whitelist

  1. Enter the followingprop.setcommand at the top of the command-line interface to set the whitelist on all Code42 servers in your environment:

prop.set c42.private.server.cors.domain.whitelist "<domains>" save all

Replace <domains> with a comma-separated list of domains that are allowed to communicate with the Code42 environment.

Alternatively, you can enter the following command to set the whitelist on a specific Code42 server:

prop.set c42.private.server.cors.domain.whitelist "<domains>" save destination <guid>

Replace <guid> with the destination's GUID.

Overwriting values
Setting a new value with a prop.set command overwrites any existing value.
Warning for using the whitelist command
Use great care with syntax when entering this command. Placing improper characters into this command and then executing it can result in your Code42 server becoming inaccessible. If this occurs, remove the CORS whitelist and re-enter the whitelist command correctly.
  1. To verify the new setting in your Code42 environment, enter the following command: c42.private.server.cors.domain.whitelist

  1. Verify that the resource to which you granted whitelist status can successfully access your Code42 environment.

Remove the CORS whitelist

If you place incorrect syntax in your domain list (for example, you enclose the domain list in single quotation marks rather than double quotation marks), it can cause the Code42 server to become inaccessible.

To recover from this error, use the following curl command to remove the CORS whitelist:

curl -u <admin username>:<admin password> -X POST -H "Content-Type: application/json" -d '{"command": "prop.remove c42.private.server.cors.domain.whitelist"}' https://<master server address>:4285/api/Cli