How do you enable cross origin resource sharing (CORS) for Sugar 7 REST API?

A recently asked question that I've decided to answer here in the community so all can benefit since I did not see it asked here previously.
How do you enable cross origin resource sharing for Sugar 7 REST API?
Cross Origin Resource Sharing (CORS) allows clients to selectively by-pass the Same-origin policy implemented by web browsers.  The Same-origin policy prevents web pages from accessing data from a different origin than the current one for security reasons.  In particular, this prevents any arbitrary JavaScript web app from calling the Sugar 7 REST API directly using AJAX.  CORS is the accepted standard for allowing cross origin requests that would otherwise be prevented.

For more details on what CORS means, check out this great resource.
  • While CORS isn't enabled by default in Sugar 7 for security reasons, you can configure it within your Apache HTTP Server to allow cross origin requests to your Sugar installation.  This can be set up by adding the Access-Control-Allow-Origin header using an Apache configuration setting as documented at

    For example, you can modify your .htaccess file at the root of your Sugar installation and add the following directive.

    <IfModule mod_headers.c>
            Header set Access-Control-Allow-Origin ""

    Replacing the URL above with the origin where you want to allow data to be shared.  It is also possible to use the "*" wildcard to allow requests from any origin.  This is convenient for development purposes but should never be used in production.

    <IfModule mod_headers.c>
            Header set Access-Control-Allow-Origin "*"
    For more information about utilizing browser support for CORS, check out