Configuring CORS (Cross-Origin Resource Sharing) Policies in IIS
Jul 26, 2025 am 02:32 AM
To enable CORS support for IIS, the web.config file needs to be configured manually. 1. Add the
When you're hosting a website or API on IIS and want to allow requests from another domain, you'll need to configure CORS policies. Internet Information Services (IIS) doesn't have built-in CORS settings like some modern frameworks do, but you can manage it using the web.config file.
Add CORS Headers in web.config
The most common way to enable CORS in IIS is by adding custom HTTP headers in your site's web.config file. This mimics how CORS works at the server level.
You'll want to add something like this inside the <system.webserver></system.webserver> section:
<httpProtocol>
<customHeaders>
<add name="Access-Control-Allow-Origin" value="*" />
<add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
<add name="Access-Control-Allow-Headers" value="Content-Type, Authorization" />
</customHeaders>
</httpProtocol>- Access-Control-Allow-Origin sets which domains are allowed. Use
*for all, or specify a domain likehttps://example.com. - Access-Control-Allow-Methods should include all HTTP methods your API accepts.
- Access-Control-Allow-Headers covers headers clients might send, such as
AuthorizationorContent-Type.
Be careful with
Access-Control-Allow-Credentials— only enable it if your frontend needs to send cookies or auth tokens cross-origin.
Handle Preflight Requests (OPTIONS)
Browsers often send an OPTIONS request before making certain types of cross-origin requests (like those with custom headers). You need to make sure IIS responses correctly to these.
In your web.config , make sure you have a handler for OPTIONS :
<handlers> <remove name="ExtensionlessUrlHandler-Integrated-4.0" /> <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedModeV4.0" /> </handlers>
This tells IIS to pass the OPTIONS request through properly instead of blocking or ignoring it.
If you're using ASP.NET Web API alongside IIS, it's better to handle CORS at the application level using the [EnableCors] attribute — but not everyone has that setup.
Avoid Conflicts with Other Modules
Sometimes IIS modules like URL Rewrite , Dynamic Content Compression , or even Authentication modules can interfere with how CORS headers are sent.
Here are a few things to check:
- Make sure no other module is removing or overwriting your CORS headers.
- If you're using Windows Authentication, test whether it affects how credentials are handled cross-origin.
- In some cases, you may need to clear existing headers before adding your own:
<customHeaders> <clear /> <add name="Access-Control-Allow-Origin" value="https://yourdomain.com" /> ... </customHeaders>
Also, don't forget to restart IIS or recycle the app pool after making changes:
iisreset
That's the core of setting up CORS in IIS manually. It's not as plug-and-play as some platforms, but once you get the headers right and handle preflight requests, it works reliably. Just be precise about what domains and methods you allow — especially in production environments.
Basically that's it.
The above is the detailed content of Configuring CORS (Cross-Origin Resource Sharing) Policies in IIS. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undress AI Tool
Undress images for free
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Configuring Request Limits and Connection Timeouts in IIS
Jul 08, 2025 am 12:36 AM
To limit the size of client requests, the maxAllowedContentLength parameter can be modified in web.config, such as setting it to 104857600 (100MB), and synchronizing the maxRequestLength of ASP.NET at the same time; to reasonably set the connection timeout time, it can be modified through the IIS manager or appcmd.exe command, with the default of 120 seconds, and the API scenario is recommended to set it to 30-90 seconds; if the request queue is full, you can increase MaxClientConn and QueueLength, optimize application performance, and enable load balancing to relieve stress.
Diagnosing High CPU Usage Issues Within IIS Worker Processes
Jul 04, 2025 am 01:04 AM
HighCPUusageinIISworkerprocessesistypicallycausedbyinefficientcode,poorconfiguration,orunexpectedtrafficpatterns.Todiagnosetheissue,firstidentifythespecificw3wp.exeprocessusinghighCPUviaTaskManagerorResourceMonitoranddetermineitsassociatedapplication
Configuring Dynamic Compression for Appropriate Content Types in IIS
Jul 04, 2025 am 12:55 AM
When configuring dynamic compression in IIS, selecting content types reasonably can improve performance. First enable the dynamic compression module, install and configure web.config or IIS manager through the server manager. Secondly, set appropriate content types, such as HTML, CSS, JavaScript, and JSON, text content is suitable for compression, while pictures and videos are not suitable. Finally, pay attention to the impact of client compatibility and performance, monitor CPU load, client support status and small file compression effects, and adjust the configuration based on actual traffic to obtain the best benefits.
Configuring HTTP Response Headers for Caching and Security in IIS
Jul 07, 2025 am 12:23 AM
Configuring HTTP response headers in IIS to optimize cache and improve security can be achieved by setting cache-related headers and adding security response headers. 1. Set cache-related headers: By configuring the clientCache element in the web.config file, set the Cache-Control and Expires headers for static resources, for example, use cacheControlMaxAge to specify the cache time, and fine-grained control can also be performed for specific file types (such as .jpg), but avoid HTML page caching for too long. 2. Add security-related headers: Configure X-Content-Type-Optio through customHeaders in web.config
Configuring Directory Browsing Permissions and Behavior in IIS
Jul 10, 2025 pm 02:08 PM
ToenableandcustomizedirectorybrowsinginIIS,firstinstallandenabletheDirectoryBrowsingfeatureviaServerManagerandIISManager;next,customizetheappearanceusingheaderandfooterHTMLsnippets;thenconfiguredefaultdocumentstopreventunintendeddirectorylistings;fin
Managing Application Pool Identities and Associated File System Permissions for IIS
Jul 03, 2025 am 12:13 AM
To solve the IIS application pool authentication account permission problem, first, you need to confirm the identity account used by the application pool. The default is IISAppPool{AppPoolName}, which can be viewed or modified through the IIS manager; secondly, make sure that the account has corresponding permissions to the website physical path (such as D:\MyWebSite). The operation steps are: Right-click the folder → Properties → Security → Edit → Add the corresponding account and set the read, write and other permissions; common errors such as 401.3 is due to lack of read permission, 500.19 may be due to insufficient permissions for web.config file, and failure to upload may be due to lack of write permissions; pay attention to whether the inheritance permissions are effective, the UNC path needs to be configured with a username and password, and it may be necessary to modify it after the username and password.
Understanding the Difference Between IIS Virtual Directories and Applications
Jul 06, 2025 am 12:58 AM
VirtualdirectoriesandapplicationsinIISdifferinindependenceandconfiguration.1.Virtualdirectoriesactasaliasestoexternalcontent,sharingtheparentsite’sapplicationpoolandconfiguration,idealfororganizingstaticfileswithoutduplication.2.Applicationsrunindepe
Configuring Shared Configuration for Multiple IIS Servers in a Web Farm
Jul 11, 2025 am 01:50 AM
SharedconfigurationinIISallowsmultipleserverstouseacentralizedapplicationHost.configfile,ensuringconsistencyacrossawebfarm.1.Itenablesallserverstopointtoasharedconfigurationlocation.2.SetupinvolvesusingaUNCpath,enablingthefeatureinIISManager,andimpor
