How to implement CORS for .NET based Web Apps

Post author:Sachin Dhir
Post published:May 26, 2014
Post category:Hands-On Tutorials & Technical Guides / Martech Integrations & Architecture
Reading time:2 mins read

Cross-origin resource sharing (CORS) is a specification that allows web assets (like css, fonts, js) on a web page to be requested from another domain (cross-domain communication from the browser). These “cross-domain” requests are usually forbidden by web browsers, per the same origin security policy. In particular, this meant that a web application using AJAX-based XMLHttpRequest could only make HTTP requests to the domain it was loaded from, and not to other domains.

CORS can be used as a modern alternative to the JSONP pattern. While JSONP supports only the GET request method, CORS also supports other types of HTTP requests.

Below are my web.config setting to allow CORS requests from .NET based Web APIs or services deployed on IIS 7/8:

 <system.webServer>
    <modules runAllManagedModulesForAllRequests="true">
        <remove name="WebDAVModule"/>
    </modules>
    <httpProtocol>
        <customHeaders>
            <add name="Access-Control-Allow-Origin" value="https://example.com"/>
            <add name="Access-Control-Allow-Methods" value="GET, POST, OPTIONS"/>
            <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
            <add name="Access-Control-Max-Age" value="1728000"/>
        </customHeaders>
    </httpProtocol>
    <handlers>
        <remove name="WebDAV" />
        <remove name="OPTIONSVerbHandler"/>
        <remove name="WebServiceHandlerFactory-ISAPI-4.0_32bit" />
        <remove name="WebServiceHandlerFactory-ISAPI-4.0_64bit" />
        <add name="WebServiceHandlerFactory-ISAPI-4.0_64bit" path="*.asmx" verb="GET,HEAD,POST,DEBUG,OPTIONS" modules="IsapiModule" scriptProcessor="C:WindowsMicrosoft.NETFramework64v4.0.30319aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness64" responseBufferLimit="0" />
        <add name="WebServiceHandlerFactory-ISAPI-4.0_32bit" path="*.asmx" verb="GET,HEAD,POST,DEBUG,OPTIONS" modules="IsapiModule" scriptProcessor="C:WindowsMicrosoft.NETFrameworkv4.0.30319aspnet_isapi.dll" resourceType="Unspecified" requireAccess="Script" preCondition="classicMode,runtimeVersionv4.0,bitness32" responseBufferLimit="0" />
    </handlers>
</system.webServer>

Reference: http://en.wikipedia.org/wiki/Cross-origin_resource_sharing

Disclaimer:
The configurations and guidance in this post are intended for legacy .NET Framework applications hosted on IIS 7/8. They may not apply to modern .NET (Core/5/6/7/8+) applications, which use a different architecture for managing CORS. Always validate security implications and compatibility with your specific framework version before applying these changes in production environments.

(Visited 239 times, 1 visits today)

Tags: CORS, iis, informational

Related Posts

You Might Also Like

Generic Singleton Pattern Made Simple

How to create Dynamic Personalization blocks in AC

Checkout this SEO Checklist before redesigning your website