How to allow Cross domain request in apache2

Question

This is my configuration file.

<VirtualHost *:80>
    ServerAdmin webmaster@localhost
    ServerName localhost:80
    DocumentRoot /var/www/XXX
    <Directory />
        Options None
        AllowOverride None
        Order deny,allow
        Deny from all
    </Directory>
    <Directory /var/www/qvbn-app-web-ctrl>
        Options FollowSymLinks
        AllowOverride AuthConfig FileInfo
        Order allow,deny
        Allow from all
        Header set Access-Control-Allow-Origin "*"
    </Directory>
    ErrorLog ${APACHE_LOG_DIR}/error.log
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

When i am trying to reload apache2 iT is giving error as :

   Invalid command 'Header', perhaps misspelled or defined by a module not included in the server configuration
    Action 'configtest' failed.

I don't know how to enable CORS. I followed this: http://enable-cors.org/server_apache.html

Amit Vujic · Answer 1 · 2021-02-26T10:18:53.827

81

OS=GNU/Linux Debian
Httpd=Apache/2.4.10

Change in /etc/apache2/apache2.conf

<Directory /var/www/html>
     Order Allow,Deny
     Allow from all
     AllowOverride all
     Header set Access-Control-Allow-Origin "*"
</Directory>

Add/activate module

 a2enmod headers

Restart service

/etc/init.d/apache2 restart

edited Feb 26 '21 at 10:18

answered Mar 15 '17 at 17:07

Amit Vujic

1,632
1
24
32

1

Thanks a lot..was stuck in this for a long time..I was trying to do this by LocationMatch and all.. but this worked like a charm – Parth Kumar Dec 05 '17 at 11:31
1

Worked like a charm. – Simão Garcia Jan 20 '19 at 17:56
1

`/etc/init.d/apache2 restart` – lcssanches Feb 25 '21 at 20:21
1

Firefox was still blocking my CORS request. Finally I found out that ignoring a self-signed certificate on one port does not apply for another port in FF (in Chrome, it does). Only after manually starting a request on the other port and ignoring the cert there as well, FF allowed the CORS request. Best try to _avoid CORS requests to sites using self-signed certs_ (better setup a trusted cert, it is easier than getting this to work). – Christopher K. Jun 06 '21 at 15:22

score 23 · Answer 2 · edited Mar 23 '21 at 20:48

23

First enable mod_headers on your server, then you can use header directive in both Apache conf and .htaccess.

enable mod_headers

a2enmod headers

configure header in .htaccess file

Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

edited Mar 23 '21 at 20:48

s1n7ax

2,750
6
24
53

answered Jul 22 '18 at 07:59

piyush

655
4
11

1

Also, restart apache after enabling the header module. – untill Nov 20 '19 at 23:06

ericgu · Answer 3 · 2019-05-25T06:05:50.830

In httpd.conf

Make sure these are loaded:

LoadModule headers_module modules/mod_headers.so

LoadModule rewrite_module modules/mod_rewrite.so

In the target directory:

<Directory "**/usr/local/PATH**">
    AllowOverride None
    Require all granted

    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
    Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
    Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
    Header always set Access-Control-Max-Age "600"

    RewriteEngine On
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [R=200,L]

</Directory>

If running outside container, you may need to restart apache service.

This is the **only** answer in this thread that addresses pre-flight `OPTIONS` requests. Nice work! — Phil, Jun 02 '20 at 23:30

score 6 · Answer 4 · answered Mar 19 '15 at 21:32

6

put the following in the site's .htaccess file (in the /var/www/XXX):

Header set Access-Control-Allow-Origin "*"

instead of the .conf file.

You'll also want to use

AllowOverride All

in your .conf file for the domain so Apache looks at it.

answered Mar 19 '15 at 21:32

drj

533
2
16

score 6 · Answer 5 · answered Nov 18 '19 at 14:52

Ubuntu Apache2 solution that worked for me .htaccess edit did not work for me I had to modify the conf file.

nano /etc/apache2/sites-available/mydomain.xyz.conf

my config that worked to allow CORS Support

<IfModule mod_ssl.c>
    <VirtualHost *:443>

        ServerName mydomain.xyz
        ServerAlias www.mydomain.xyz

        ServerAdmin support@mydomain.xyz
        DocumentRoot /var/www/mydomain.xyz/public

        ### following three lines are for CORS support
        Header add Access-Control-Allow-Origin "*"
        Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
        Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        SSLCertificateFile /etc/letsencrypt/live/mydomain.xyz/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/mydomain.xyz/privkey.pem

    </VirtualHost>
</IfModule>

then type the following command

a2enmod headers

make sure cache is clear before trying

"make sure cache is clear before trying" THANK YOU! – Yllier123 Aug 10 '20 at 16:57 — Yllier123, Aug 10 '20 at 16:57

frinux · Answer 6 · 2017-03-31T10:56:53.707

4

Enable mod_headers in Apache2 to be able to use Header directive :

a2enmod headers

edited Mar 31 '17 at 10:56

answered Oct 07 '15 at 07:46

frinux

2,052
6
26
47

score 1 · Answer 7 · answered Aug 21 '18 at 07:20

I had a lot of trouble getting this to work. Dummy me, don't forget that old page - even for sub-requests - gets cached in your browser. Maybe obvious, but clear your browsers cache. After that, one can also use Header set Cache-Control "no-store" This was helpful to me while testing.

score 0 · Answer 8 · answered Jul 18 '23 at 20:52

FWIW, on a standard shared server hosting configuration (Namecheap) - on a non-production account with no need for security - this worked for me:

Header Set Access-Control-Allow-Origin *
Header Set Access-Control-Allow-Headers *
Header Set Access-Control-Allow-Methods *

score -3 · Answer 9 · edited Jun 04 '19 at 14:57

You can also put below code to the httaccess file as well to allow CORS using htaccess file

    ######################## Handling Options for the CORS
    RewriteCond %{REQUEST_METHOD} OPTIONS
    RewriteRule ^(.*)$ $1 [L,R=204]

   ##################### Add custom headers
   Header set X-Content-Type-Options "nosniff"
   Header set X-XSS-Protection "1; mode=block"
   # Always set these headers for CORS. 
   Header always set Access-Control-Max-Age 1728000
   Header always set Access-Control-Allow-Origin: "*"
   Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
   Header always set Access-Control-Allow-Headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,C$
   Header always set Access-Control-Allow-Credentials true

For information purpose, You can also have a look at this article http://www.ipragmatech.com/enable-cors-using-htaccess/ which allow CORS header.

How to allow Cross domain request in apache2

9 Answers9

then type the following command

make sure cache is clear before trying

Linked