PUT requests are throwing 403 CORS error Asp.Net Core 3.1 + Vue3 +IIS10

Question

I have spent a full day at it trying to find a solution for this and have tried almost all top voted answers in these SOF posts here, here and here.

So here is the situation:

• GET & POST requests are working fine
• PUT requests are throwing 403 as shown below

We don't have any DELETE requests at the moment to test if that is also effected or not

We have two repositories (1) Backend API - using .Net Core 3.1 and (2) Vue3/typescript/Axios client, being deployed to two domains, api to my-api.blahblah.com and web client to www.blahblah.com. Maybe relevant or not but it's on a VPS running Windows Server 2019 and IIS10. Reason for having two separate, is to have them independently deployable, separate pipelines are setup and working fine.

The CORS setup in startup.cs looks like this, I have tried different variation of these based on the answers from the SOF links above:

services.AddCors(options =>
{
    options.AddPolicy("CorsPolicy", policy =>
    {
        policy
            .AllowAnyOrigin()
            .AllowAnyHeader()
            .AllowAnyMethod();
    });
});

...

app.UseCors("CorsPolicy");

app.UseRouting();

app.UseAuthentication();
app.UseAuthorization();

The web.config file of the web client looks like this:

and the web.config of the api domain is this:

Hopefully I have added enough information but if i missed something please let me know.

I have a feeling I am missing something very trivial to get the PUT requests to work but maybe my bad day.

Thanks in advance.

EDIT 1: Additional information

• Requests through POSTMAN are also failing with 403.
• The apps work fine on local IIS (development machine).

EDIT 2:

• DELETE is not working as well, throwing same CORS error
• It is not auth issues as I placed [AllowAnnonymous] on several PUT and DELETE endpoints in API and redeployed it but still getting same errors as before
• Some last entries from IIS after allowing anony access to PUT endpoint below (notice 403 on PUT):

2021-12-15 19:29:37 SERVER_IP_REDACTED GET /api/employeeAddress PageIndex=0&PageSize=10 443 - MY_IP_REDACTED HTTP/2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/xx.xx.xx.xx+Safari/537.36 https://WEBSITE_NAME_REDACTED/ MY_API 200 0 0 718 1558 364
2021-12-15 19:29:49 SERVER_IP_REDACTED OPTIONS /api/employeeAddress/10 - 443 - MY_IP_REDACTED HTTP/2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/xx.xx.xx.xx+Safari/537.36 https://WEBSITE_NAME_REDACTED/ MY_API 204 0 0 305 623 70
2021-12-15 19:29:49 SERVER_IP_REDACTED GET /api/employeeAddress/10 - 443 - MY_IP_REDACTED HTTP/2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/xx.xx.xx.xx+Safari/537.36 https://WEBSITE_NAME_REDACTED/ MY_API 200 0 0 393 1537 95
2021-12-15 19:29:55 SERVER_IP_REDACTED OPTIONS /api/employeeAddress/10 - 443 - MY_IP_REDACTED HTTP/2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/xx.xx.xx.xx+Safari/537.36 https://WEBSITE_NAME_REDACTED/ MY_API 204 0 0 318 636 84
2021-12-15 19:29:55 SERVER_IP_REDACTED PUT /api/employeeAddress/10 - 443 - MY_IP_REDACTED HTTP/2 Mozilla/5.0+(Windows+NT+10.0;+Win64;+x64)+AppleWebKit/537.36+(KHTML,+like+Gecko)+Chrome/xx.xx.xx.xx+Safari/537.36 https://WEBSITE_NAME_REDACTED/ MY_API 403 0 0 1452 1712 74

Edit 3 EmployeeAddressController screenshot as requested:

Answer 1

It wasn't an issue with how i configured the pipeline or Cors.

As I mentioned in my question that I was using the a VPS hosting, there was ModSecurity (Firewall) setup that had some rules which were blocking these requests. I had to contact the hosting provider customer support and they turned off some rules one by one.

Even then some PUT/DELETE endpoints were working and others started to throw 405 (rather than 403 which i was getting originally).

To fix the 405 errors I added the following in web.config file:

<system.webServer>
    <modules>
        <remove name="WebDAVModule" />
    </modules>
    <handlers>
    <remove name="aspNetCore" />
        <remove name="WebDAV" />
        <!-- I removed the following handlers too, but these
             can probably be ignored for most installations -->
        <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
        <remove name="OPTIONSVerbHandler" />
        <remove name="TRACEVerbHandler" />
        <add name="aspNetCore" 
             path="*" 
             verb="*" 
             modules="AspNetCoreModuleV2" 
             resourceType="Unspecified" />
    </handlers>
    <aspNetCore processPath="dotnet" 
                arguments=".\xxx.xxxxxxx.WebApi.dll" 
                stdoutLogEnabled="false" 
                stdoutLogFile=".\logs\stdout" 
                hostingModel="inprocess" />
</system.webServer>

This fixed the issue for me. However I have moved from VPS to Azure App Service, i learnt the hard way that VPS might be cheaper but it's not worth the hassle. The webapi just worked out of the box after publishing to app service in azure, no changes required.

Answer 2

If your hosting provider's control panel has a web application firewall section, turn off the firewall from there and it will start working. This worked for me.

Answer 3

Have you read https://learn.microsoft.com/en-us/aspnet/core/security/cors?view=aspnetcore-6.0?

It says:

Calls the UseCors extension method and specifies the _myAllowSpecificOrigins CORS policy. UseCors adds the CORS middleware. The call to UseCors must be placed after UseRouting, but before UseAuthorization. For more information, see Middleware order.

You have UseCors in the wrong order.

Furthermore, what are the response headers? Does it mention CORS? that could also be helpful to know.

And also, take a look at the question guidelines of stackoverflow. In these cases a link to a sample little project that contains your problem would be useful because then people could debug it and help you out better.