When dealing with an Apigee Proxy invoking a microservice API endpoint, it's essential to determine where to add the CORS policy. Hence I am trying to understand at which endpoint (is it at TargetEndpoint or ProxyEndpoint) we should be adding CORS policy for below specific scenario.

Scenario:  In a specific scenario where the Target endpoint API responds with a 400 Bad Request and an error object, a challenge arises when the UI, hosted on a different domain, is unable to retrieve the response when triggering the Apigee proxy (while preflight OPTIONS call was success as ProxyEndpoint has AM.CORS policy added already). Although the error messages are visible in the Apigee trace/logs, they are not reaching the browser.

In response to this issue, a potential solution was to experiment with adding the AM.CORS policy under the target endpoint in the DefaultFaultRule, which has shown promising results. For us, it's important to verify if this approach aligns with best practices, as there is no explicit documentation in Apigee regarding adding the CORS policy in the TargetEndpoint's DefaultRule.

Can you please help to clarify whether this approach is specifically relevant for error scenarios or if there is a more appropriate method to address this issue. Looking forward to correct way of handling this issue. 

Regards,
Pankaj Sharma