CORS settings for IIS 7.5

Question

How can I convert the following code for use in the web.config in IIS 7.5 and where in the web.config file I should place each piece of code?

# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
 
# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

As per the recommendation from site - http://enable-cors.org/server_iis7.html i've added to my web.config. but I get the following message in Firefox - Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://lrpspsprd02.lhl.co.nz/ZFP/Dicom/UrlAuthentication?mode=StandAloneLaunch. This can be fixed by moving the resource to the same domain or enabling CORS. — Vernon Wainohu, Feb 12 '15 at 22:00

score 28 · Answer 1 · edited Feb 21 '18 at 10:24

If you are asking this to solve CORS problem, you can follow this solution below.

NOTE: Before adding all this you should consider security issues.

Add this to your web.config file:

<system.webServer>
  <httpProtocol>
    <customHeaders>
      <add name="Access-Control-Allow-Origin" value="*" />
      <add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, HEAD, OPTIONS" />
      <add name="Access-Control-Allow-Credentials" value="true"/>
      <add name="Access-Control-Allow-Headers" value="X-Requested-With, origin, content-type, accept" />
    </customHeaders>
  </httpProtocol>
</system.webServer>

If you have Content-type parameter in your ajax call or you are doing PUT request.Those are considered as PreFlight requests.Preflight requests are doing OPTION request before sending main request(PUT,DELETE etc).You can add below method to your global.asax file to pass successfully OPTION process:
```
protected void Application_BeginRequest()
{
    if (Request.Headers.AllKeys.Contains("Origin") && Request.HttpMethod == "OPTIONS")
    {
        Response.Flush();
    }
}
```

To have more information about Preflight requests you can check here

For solution number 2 you can have detailed information from here

I had to prepend the following lines to in order to prevent a duplicate entry error: — Fabien, Jun 21 '17 at 12:22
Thanks to @zehra Subas.For me i just had to add only these two lines headers,Access-Control-Allow-Origin,Access-Control-Allow-Headers: — Sotiris Zegiannis, Apr 18 '18 at 17:39
There's also an IIS CORS module, using the `` tag, more info can be found at https://learn.microsoft.com/en-us/iis/extensions/cors-module/cors-module-configuration-reference — Ehtesh Choudhury, Jun 12 '18 at 16:00

score 1 · Answer 2 · answered May 04 '21 at 16:30

Some updates needs to be considered as Chrome now adds strict-origin-when-cross-origin as default referrer-policy, so if you don't set a referrer policy in the web.config, you might still run into the CORS issue. This is the setting worked for me when testing a localhost test program against a remote server (the settings are not recommended for production):

<system.webServer>
   <httpProtocol>
     <customHeaders>
         <add name="Referrer-Policy" value="no-referrer" />
         <add name="Access-Control-Allow-Origin" value="*" />
         <add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, HEAD, OPTIONS" />
         <add name="Access-Control-Allow-Credentials" value="true"/>
         <add name="Access-Control-Allow-Headers" value="X-Requested-With, origin, content-type, accept" />
     </customHeaders>
   </httpProtocol>
</system.webServer>

CORS settings for IIS 7.5

2 Answers2

Linked