How to support HTTP OPTIONS verb in ASP NET MVC WebAPI application

Question

I ve setup an ASP NET web application starting with a MVC 4 Web API template  It seems as though things are working really well - no problems that I m aware of  I ve used Chrome and Firefox to go through the site  I ve tested using Fiddler and all of the responses seem to be on the money   So now I proceed to write a simple Test aspx to consume this new Web API  The relevant parts of the script    lt script type  text javascript  gt        function                 ajax               url   http   mywebapidomain com api user               type   GET               contentType   json               success  function  data                       each data  function  index  item                                                                                                                        failure  function  result                    alert result d                               error  function  XMLHttpRequest  textStatus  errorThrown                    alert  An error occurred  please try again      textStatus                                        lt  script gt    This generates a REQUEST header   OPTIONS http   host mywebapidomain com api user HTTP 1 1 Host  host mywebapidomain com User-Agent  Mozilla 5 0  Windows NT 6 1  WOW64  rv 24 0  Gecko 20100101 Firefox 24 0 Accept  text html application xhtml xml application xml q 0 9     q 0 8 Accept-Language  en-US en q 0 5 Accept-Encoding  gzip  deflate Origin  http   mywebapidomain com Access-Control-Request-Method  GET Access-Control-Request-Headers  content-type Connection  keep-alive   As is  Web API returns a 405 Method Not Allowed    HTTP 1 1 405 Method Not Allowed Cache-Control  no-cache Pragma  no-cache Content-Type  application xml  charset utf-8 Expires  -1 Server  Microsoft-IIS 8 0 X-AspNet-Version  4 0 30319 X-Powered-By  ASP NET Date  Mon  30 Sep 2013 13 28 12 GMT Content-Length  96   lt Error gt  lt Message gt The requested resource does not support http method  OPTIONS   lt  Message gt  lt  Error gt    I understand that the OPTIONS verb is not wired up in Web API controllers by default    So  I placed the following code in my UserController cs      OPTIONS http-verb handler public HttpResponseMessage OptionsUser         var response   new HttpResponseMessage        response StatusCode   HttpStatusCode OK      return response         and this eliminated the 405 Method Not Allowed error  but the response is completely empty - no data is returned   HTTP 1 1 200 OK Cache-Control  no-cache Pragma  no-cache Expires  -1 Server  Microsoft-IIS 8 0 X-AspNet-Version  4 0 30319 X-Powered-By  ASP NET Date  Mon  30 Sep 2013 12 56 21 GMT Content-Length  0   There must be additional logic    I don t know how to properly code the Options method or if the controller is even the proper place to put the code  Weird  to me  that the Web API site responds properly when viewed from Firefox or Chrome  yet the  ajax call above errors out  How do I handle the  preflight  check in the  ajax code  Maybe I should be addressing this issue on the client side s  ajax logic  Or  if this is an issue on the server side due to not handling the OPTIONS verb   Can anyone help  This must be a very common issue and I apologize if it s been answered here  I searched but didn t find any answers that helped   UPDATE IMHO  this is a client side issue and has to do with the Ajax JQuery code above  I say this because Fiddler doesn t show any 405 error headers when I access mywebapidomain api user from a web browser  The only place I can duplicate this problem is from the JQuery  ajax   call  Also  the identical Ajax call above works fine when ran on the server  same domain    I found another post  Prototype AJAX request being sent as OPTIONS rather than GET  results in 501 error that seems to be related  but I ve tinkered with their suggestions with no success  Apparently  JQuery is coded so that if an Ajax request is cross domain  which mine is  it adds a couple of headers which trigger the OPTIONS header somehow    X-Requested-With    XMLHttpRequest    X-Prototype-Version   Prototype Version    It just seems that there should be a better solution available than modifying core code in JQuery     The answer provided below assumes this is a server side issue  Maybe  I guess  but I lean toward client and calling a hosting provider isn t going to help

User · Answer

Mike Goodwin answer is great but it seemed, when I tried it, that it was aimed at MVC5/WebApi 2.1. The dependencies for Microsoft.AspNet.WebApi.Cors didn't play nicely with my MVC4 project.

The simplest way to enable CORS on WebApi with MVC4 was the following.

Note that I have allowed all, I suggest you limit the Origin's to just the clients you want your API to serve. Allowing everything is a security risk.

Web.config:

<system.webServer>
    <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Methods" value="GET, PUT, POST, DELETE, HEAD" />
        <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept" />
      </customHeaders>
    </httpProtocol>
</system.webServer>

BaseApiController.cs:

We do this to allow the OPTIONS http verb

 public class BaseApiController : ApiController
  {
    public HttpResponseMessage Options()
    {
      return new HttpResponseMessage { StatusCode = HttpStatusCode.OK };
    }
  }

User · Answer

Just add this to your Application OnBeginRequest method  this will enable CORS support globally for your application  and  handle  preflight requests    var res   HttpContext Current Response  var req   HttpContext Current Request  res AppendHeader  Access-Control-Allow-Origin   req Headers  Origin     res AppendHeader  Access-Control-Allow-Credentials    true    res AppendHeader  Access-Control-Allow-Headers    Content-Type  X-CSRF-Token  X-Requested-With  Accept  Accept-Version  Content-Length  Content-MD5  Date  X-Api-Version  X-File-Name    res AppendHeader  Access-Control-Allow-Methods    POST GET PUT PATCH DELETE OPTIONS             Respond to the OPTIONS verb       if  req HttpMethod     OPTIONS         res StatusCode   200      res End          security  be aware that this will enable ajax requests from anywhere to your server  you can instead only allow a comma separated list of Origins urls if you prefer    I used current client origin instead of   because this will allow credentials    setting Access-Control-Allow-Credentials to true will enable cross browser session managment  also you need to enable delete and put  patch and options verbs in your webconfig section system webServer  otherwise IIS will block them      lt handlers gt     lt remove name  ExtensionlessUrlHandler-ISAPI-4 0 32bit    gt     lt remove name  ExtensionlessUrlHandler-ISAPI-4 0 64bit    gt     lt remove name  ExtensionlessUrlHandler-Integrated-4 0    gt     lt add name  ExtensionlessUrlHandler-ISAPI-4 0 32bit  path      verb  GET HEAD POST DEBUG PUT DELETE PATCH OPTIONS  modules  IsapiModule  scriptProcessor   windir  Microsoft NET Framework v4 0 30319 aspnet isapi dll  preCondition  classicMode runtimeVersionv4 0 bitness32  responseBufferLimit  0    gt     lt add name  ExtensionlessUrlHandler-ISAPI-4 0 64bit  path      verb  GET HEAD POST DEBUG PUT DELETE PATCH OPTIONS  modules  IsapiModule  scriptProcessor   windir  Microsoft NET Framework64 v4 0 30319 aspnet isapi dll  preCondition  classicMode runtimeVersionv4 0 bitness64  responseBufferLimit  0    gt     lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb  GET HEAD POST DEBUG PUT DELETE PATCH OPTIONS  type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0    gt   lt  handlers gt    hope this helps

User · Answer

After encountering the same issue in a Web API 2 project  and being unable to use the standard CORS packages for reasons not worth going into here   I was able to resolve this by implementing a custom DelagatingHandler   public class AllowOptionsHandler   DelegatingHandler       protected override async Task lt HttpResponseMessage gt  SendAsync          HttpRequestMessage request  CancellationToken cancellationToken                var response   await base SendAsync request  cancellationToken            if  request Method    HttpMethod Options  amp  amp              response StatusCode    HttpStatusCode MethodNotAllowed                        response   new HttpResponseMessage HttpStatusCode OK                      return response            For the Web API configuration   config MessageHandlers Add new AllowOptionsHandler       Note that I also have the CORS headers enabled in Web config  similar to some of the other answers posted here    lt system webServer gt     lt modules runAllManagedModulesForAllRequests  true  gt       lt remove name  WebDAVModule    gt     lt  modules gt      lt httpProtocol gt       lt customHeaders gt         lt add name  Access-Control-Allow-Origin  value       gt         lt add name  Access-Control-Allow-Headers  value  accept  cache-control  content-type  authorization    gt         lt add name  Access-Control-Allow-Methods  value  GET  POST  PUT  DELETE  OPTIONS    gt       lt  customHeaders gt     lt  httpProtocol gt      lt handlers gt       lt remove name  ExtensionlessUrlHandler-Integrated-4 0    gt       lt remove name  TRACEVerbHandler    gt       lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb     type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0    gt     lt  handlers gt   lt  system webServer gt    Note that my project does not include MVC  only Web API 2

User · Answer

I had this same problem  For me the fix was to remove the custom content type from the jQuery AJAX call   Custom content types trigger the pre-flight request  I found this   The browser can skip the preflight request if the following conditions are true  The request method is GET  HEAD  or POST  and The application does not set any request headers other than Accept  Accept-Language  Content-Language  Content-Type  or Last-Event-ID  and The Content-Type header  if set  is one of the following   application x-www-form-urlencoded multipart form-data text plain   From this page  http   www asp net web-api overview security enabling-cross-origin-requests-in-web-api   under  quot Preflight Requests quot

User · Answer

I too faced the same issue   Follow the below step to solve the issue on  CORS  compliance in browsers   Include REDRock in your solution with the Cors reference  Include WebActivatorEx reference to Web API solution   Then Add the file CorsConfig in the Web API App Start Folder    assembly  PreApplicationStartMethod typeof WebApiNamespace CorsConfig    PreStart     namespace WebApiNamespace       public static class CorsConfig               public static void PreStart                         GlobalConfiguration Configuration MessageHandlers Add new RedRocket WebApi Cors CorsHandler                         With these changes done i was able to access the webapi in all browsers

User · Answer

As Daniel A  White said in his comment  the OPTIONS request is most likely created by the client as part of a cross domain JavaScript request  This is done automatically by Cross Origin Resource Sharing  CORS  compliant browsers  The request is a preliminary or pre-flight request  made before the actual AJAX request to determine which request verbs and headers are supported for CORS  The server can elect to support it for none  all or some of the HTTP verbs   To complete the picture  the AJAX request has an additional  Origin  header  which identified where the original page which is hosting the JavaScript was served from  The server can elect to support request from any origin  or just for a set of known  trusted origins  Allowing any origin is a security risk since is can increase the risk of Cross site Request Forgery  CSRF    So  you need to enable CORS    Here is a link that explains how to do this in ASP Net Web API  http   www asp net web-api overview security enabling-cross-origin-requests-in-web-api enable-cors  The implementation described there allows you to specify  amongst other things   CORS support on a per-action  per-controller or global basis The supported origins When enabling CORS a a controller or global level  the supported HTTP verbs Whether the server supports sending credentials with cross-origin requests   In general  this works fine  but you need to make sure you are aware of the security risks  especially if you allow cross origin requests from any domain  Think very carefully before you allow this   In terms of which browsers support CORS  Wikipedia says the following engines support it    Gecko 1 9 1  FireFox 3 5  WebKit  Safari 4  Chrome 3  MSHTML Trident 6  IE10  with partial support in IE8 and 9 Presto  Opera 12    http   en wikipedia org wiki Cross-origin resource sharing Browser support

User · Answer

In ASP NET web api 2   CORS support has been added   Please check the link   http   www asp net web-api overview security enabling-cross-origin-requests-in-web-api

User · Answer

In the Application OnBeginRequest method in GLOBAL ASX add the following -    var res   HttpContext Current Response    var req   HttpContext Current Request    res AppendHeader  quot Access-Control-Allow-Origin quot    quot   quot      res AppendHeader  quot Access-Control-Allow-Credentials quot    quot true quot      res AppendHeader  quot Access-Control-Allow-Headers quot    quot Authorization quot      res AppendHeader  quot Access-Control-Allow-Methods quot    quot POST GET PUT PATCH DELETE OPTIONS quot                   Respond to the OPTIONS verb           if  req HttpMethod     quot OPTIONS quot                 res StatusCode   200          res End             Remove any entries in the custom headers as this will throw an error that there s to     many values in the header      lt httpProtocol gt       lt customHeaders gt       lt  customHeaders gt   lt  httpProtocol gt

User · Answer

protected void Application EndRequest                 if  Context Response StatusCode    405  amp  amp  Context Request HttpMethod     OPTIONS                          Response Clear                Response StatusCode   200              Response End

User · Answer

I have managed to overcome 405 and 404 errors thrown on pre-flight ajax options requests only by custom code in global asax   protected void Application BeginRequest                             HttpContext Current Response AddHeader  Access-Control-Allow-Origin                 if  HttpContext Current Request HttpMethod     OPTIONS                           These headers are handling the  pre-flight  OPTIONS call sent by the browser             HttpContext Current Response AddHeader  Access-Control-Allow-Methods    GET  OPTIONS                HttpContext Current Response AddHeader  Access-Control-Allow-Headers    Content-Type  Accept                HttpContext Current Response AddHeader  Access-Control-Max-Age    1728000                HttpContext Current Response End                      PS  Consider security issues when allowing everything     I had to disable CORS since it was returning  Access-Control-Allow-Origin  header contains multiple values   Also needed this in web config    lt handlers gt     lt remove name  ExtensionlessUrlHandler-Integrated-4 0   gt     lt remove name  OPTIONSVerbHandler   gt     lt remove name  TRACEVerbHandler   gt     lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb     type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0   gt   lt  handlers gt    And app pool needs to be set to Integrated mode

User · Answer

I ve had same problem  and this is how I fixed it   Just throw this in your web config    lt system webServer gt       lt modules gt         lt remove name  WebDAVModule    gt       lt  modules gt        lt httpProtocol gt         lt customHeaders gt           lt add name  Access-Control-Expose-Headers   value  WWW-Authenticate   gt           lt add name  Access-Control-Allow-Origin  value       gt           lt add name  Access-Control-Allow-Methods  value  GET  POST  OPTIONS  PUT  PATCH  DELETE    gt           lt add name  Access-Control-Allow-Headers  value  accept  authorization  Content-Type    gt           lt remove name  X-Powered-By    gt         lt  customHeaders gt       lt  httpProtocol gt        lt handlers gt         lt remove name  WebDAV    gt         lt remove name  ExtensionlessUrlHandler-Integrated-4 0    gt         lt remove name  TRACEVerbHandler    gt         lt add name  ExtensionlessUrlHandler-Integrated-4 0  path      verb     type  System Web Handlers TransferRequestHandler  preCondition  integratedMode runtimeVersionv4 0    gt       lt  handlers gt   lt  system webServer gt

[asp.net] How to support HTTP OPTIONS verb in ASP.NET MVC/WebAPI application

Web.config:

BaseApiController.cs:

Examples related to asp.net

Examples related to ajax

Examples related to asp.net-web-api