Not a developer? Go to



This is documentation about a configuration directive, which can be placed within Movable Type’s core configuration file, mt-config.cgi, to customize the behavior of the system.

DataAPICORSAllowMethods is used to specify the Access-Control-Allow-Methods response value sent back from the Data API endpoint.

When retrieving data from external sites using JavaScript’s XMLHttpRequest Level 2 with a web browser or a client application, the returned header information is subject to a number of different Cross Origin Resource Sharing (CORS) security restrictions. Express permission must be granted through Movable Type using the Access-Control-Allow-Methods header to allow responses to non-GET or POST methods to be sent.

In order to determine what methods a client application is allowed to use to make requests from the Data API, a preflight request can be sent to the server where the Data API is operating. If the request is made from a site that is permitted to use the Data API, the method names that can be used are placed in the Access-Control-Allow-Methods header attribute and returned as part of the REST query response.


DataAPICorsAllowMethods GET, POST, OPTIONS, *

Default Value

* (Asterisk, meaning “all”)