要啟用IIS的CORS支持，需手動配置web.config文件。 1. 在中添加段，設置Access-Control-Allow-Origin、Access-Control-Allow-Methods和Access-Control-Allow-Headers頭，分別指定允許的來源、方法和請求頭。 2. 確保處理預檢請求（OPTIONS），通過配置使IIS正確響應此類請求。 3. 檢查與其他模塊的衝突，必要時清除已有頭信息並單獨配置。 4. 修改後重啟IIS或回收應用池以生效配置。該方法適用於未使用框架自帶CORS功能的場景。

When you're hosting a website or API on IIS and want to allow requests from another domain, you'll need to configure CORS policies. Internet Information Services (IIS) doesn't have built-in CORS settings like some modern frameworks do, but you can manage it using the web.config file.

Add CORS Headers in web.config

The most common way to enable CORS in IIS is by adding custom HTTP headers in your site's web.config file. This mimics how CORS works at the server level.

You'll want to add something like this inside the <system.webserver></system.webserver> section:

 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
    <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization" />
  </customHeaders>
</httpProtocol>

• Access-Control-Allow-Origin sets which domains are allowed. Use * for all, or specify a domain like https://example.com .
• Access-Control-Allow-Methods should include all HTTP methods your API accepts.
• Access-Control-Allow-Headers covers headers clients might send, such as Authorization or Content-Type .

Be careful with Access-Control-Allow-Credentials — only enable it if your frontend needs to send cookies or auth tokens cross-origin.

Handle Preflight Requests (OPTIONS)

Browsers often send an OPTIONS request before making certain types of cross-origin requests (like those with custom headers). You need to make sure IIS responds correctly to these.

In your web.config , make sure you have a handler for OPTIONS :

 <handlers>
  <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
  <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*" verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedModeV4.0" />
</handlers>

This tells IIS to pass the OPTIONS request through properly instead of blocking or ignoring it.

If you're using ASP.NET Web API alongside IIS, it's better to handle CORS at the application level using the [EnableCors] attribute — but not everyone has that setup.

Avoid Conflicts with Other Modules

Sometimes IIS modules like URL Rewrite , Dynamic Content Compression , or even Authentication modules can interfere with how CORS headers are sent.

Here are a few things to check:

• Make sure no other module is removing or overwriting your CORS headers.
• If you're using Windows Authentication, test whether it affects how credentials are handled cross-origin.
• In some cases, you may need to clear existing headers before adding your own:

 <customHeaders>
  <clear />
  <add name="Access-Control-Allow-Origin" value="https://yourdomain.com" />
  ...
</customHeaders>

Also, don't forget to restart IIS or recycle the app pool after making changes:

 iisreset

That's the core of setting up CORS in IIS manually. It's not as plug-and-play as some platforms, but once you get the headers right and handle preflight requests, it works reliably. Just be precise about what domains and methods you allow — especially in production environments.

基本上就這些。

以上是在IIS中配置CORS（跨原始資源共享）策略的詳細內(nèi)容。更多資訊請關注PHP中文網(wǎng)其他相關文章！