JavaScript API: Proxy Incoming Requests

It can be tricky to serve content from different domains as part of the same web page. To protect against malicious scripts, web browsers enforce a same-origin policy whereby scripts have permission to access only data from the same origin (domain and port number). Websites that violate the same-origin policy are said to be engaging in cross-site scripting (XSS). Such websites will not function properly in modern web browsers.

A common integration of Exago BI into a host application is to separate the installation of Exago onto its own web server. API calls between the host app and Exago are communicated via a web service.

When embedding Exago content into a host web page, iFrames work around the same-origin policy because the iFrame barrier effectively isolates the embedded page from the surrounding content. No scripts can cross the barrier in either direction.

However, when using the Exago JavaScript API to embed content directly in the host DOM, browsers will complain if the embedded content is thought to be coming from a different domain than the host. One way to work around this restriction is to use the host web server as a proxy server. The host can be configured as the entry point for requests to Exago, which it then redirects to the Exago server. This is known as a reverse proxy.

This setup can have some security advantagesall external calls are routed through the host server, thus preventing potential attackers from being able to access the Exago server directly. Exago can be hidden behind a firewall and requests filtered based on their content.

The following sections explain how you might set up this configuration.

Configure the Host Server

The host server application should be configured as follows:


First ensure that the Application Request Routing extension is installed.

Enable Proxy

  1. In IIS select the web server then open Application Request Routing Cache.
  2. Click Server Proxy Settings
  3. Select Enable proxy then click Apply.

Set up URL Rewrite

  1. In IIS select the Default Web Site then open URL Rewrite.
  2. For both the web application and web service do the following:
    1. Click Add Rule(s)
    2. Select Reverse Proxy then click OK.
    3. Enter the Exago BI server / web service address in the Inbound Rule field.
    4. Enter the Exago BI server / web service address in the Outbound Rule - From: field.
    5. Enter the host application address in the Outbound Rule - To: field.
    6. Click OK.

See Setup IIS with URL Rewrite as a reverse proxy for real world apps (MSDN) for more information.


Add the following lines to httpd.conf

LoadModule proxy_module        modules/
LoadModule proxy_ajp_module    modules/
LoadModule proxy_http_module   modules/
ProxyPass /{EXAGO}             http://localhost/{EXAGO}
ProxyPass /{EXAGO_WEBSERVICE}  http://localhost/{EXAGO_WEBSERVICE}

See Running a Reverse Proxy with Apache for more information.

Configure Exago BI

Exago BI should be configured as follows:

Add the following to the web service configuration file - Config\WebReportsApi.xml:


Finally, make sure that any references in the host application to Exago BI (web application or web service) use the proxy URL.

Hidden Article Information

Article Author
Exago Development
created 2017-11-06 15:22:02 UTC
updated 2018-01-31 17:41:46 UTC

web, service, api, javascript, xss, cross, site, scripting, arr, iis, apache, url, rewrite, reverse, proxy, host,
Have more questions? Submit a request