# Cross-Origin Resource Sharing (CORS)

By default, for security reasons, the SCIM interface is published for any server application, but not for client-side (javascript) applications.

In order to allow client-side applications to query or modify SCIM objects, the CORS protocol states how to define the restrictions that apply to client-side applications. CORS settings can be tuned adding two [parameters:](https://bookstack.soffid.com/books/soffid-3-reference-guide/page/soffid-parameters "Soffid parameters")

<table border="1" id="bkmrk-parameter-value-soff" style="border-collapse: collapse; width: 100%;"><tbody><tr><td style="width: 27.7105%;">Parameter</td><td style="width: 72.4019%;">Value</td></tr><tr><td style="width: 27.7105%;">**soffid.scim.cors.origin**</td><td style="width: 72.4019%;">Set a comma separated list of DNS domains allowed to perform SCIM operations.

Set to \* to allow access from any domain

</td></tr><tr><td style="width: 27.7105%;">**soffid.scim.cors.methods**</td><td style="width: 72.4019%;">Set a comma-separated list of allowed operations.

By default, it is set to **GET, OPTIONS, HEAD**

To allow any operation, set it to **GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD**

</td></tr></tbody></table>

These parameters can be changed in real-time for any tenant. Mind that setting these values for the master tenant applies to master tenant, but also applies as default values for any child tenant.