Header set Access-Control-Allow-Origin in htaccess doesn t work

Question

I can t figure out why my  htaccess header settings doesn t work   My  htaccess file content   Header set Access-Control-Allow-Origin   Header always set Access-Control-Allow-Methods  POST  GET  OPTIONS  DELETE  PUT  Header always set Access-Control-Allow-Headers     RewriteEngine On RewriteCond   REQUEST FILENAME   -f RewriteRule        index php  QSA L    But when I remove Header s and add them in index php then everything works fine    header  Access-Control-Allow-Origin       header  Access-Control-Allow-Methods  PUT  GET  POST  DELETE  OPTIONS    header  Access-Control-Allow-Headers         What am i missing

User · Answer

Just for the record  I was running into the exact same problem and none of the answers worked   I used a headers checker tool  http   www webconfs com http-header-check php  I was testing with my IP  http   192 0 2 1 upload  and what came back was the following   HTTP 1 1 301 Moved Permanently   gt   Date   gt  Sat  10 Jan 2015 04 03 35 GMT Server   gt  Apache 2 2 21  Win32  mod ssl 2 2 21 OpenSSL 1 0 0e PHP 5 3 8 mod perl 2 0 4 Perl v5 10 1 Location   gt  http   192 0 2 1 upload  Content-Length   gt  380 Connection   gt  close Content-Type   gt  text html  charset iso-8859-1   There was a redirection happening and the AJAX request does not honor follow redirects   It turned out to be the missing slash at the end of the domain  http   192 0 2 1 upload    I tested again with slash at the end and I got this below  Added a slash in the script too  and it was now working   HTTP 1 1 200 OK   gt   Date   gt  Sat  10 Jan 2015 04 03 53 GMT Server   gt  Apache 2 2 21  Win32  mod ssl 2 2 21 OpenSSL 1 0 0e PHP 5 3 8 mod perl 2 0 4 Perl v5 10 1 X-Powered-By   gt  PHP 5 3 8 Access-Control-Allow-Origin   gt    Access-Control-Allow-Methods   gt  PUT  GET  POST  DELETE  OPTIONS Access-Control-Allow-Headers   gt    Content-Length   gt  1435 Connection   gt  close Content-Type   gt  text html   Use this tool to test if your headers are good and to troubleshoot what is happening

User · Answer

If anyone else is trying this  the most upvoted answer should work   However  if you are having issues it could be possible the browser has cached the REQUEST  To confirm append a query string

User · Answer

try this    lt IfModule mod headers c gt       Header set Access-Control-Allow-Credentials true      Header set Access-Control-Allow-Origin  your domain       Header set Access-Control-Allow-Headers  X-Requested-With   lt  IfModule gt     It s preferable to allow a list of know trusted host

User · Answer

Try this in the  htaccess of the external root folder   lt IfModule mod headers c gt      Header set Access-Control-Allow-Origin      lt  IfModule gt    Be careful on   Header add Access-Control-Allow-Origin     This is not judicious at all to grant access to everybody  I think you should user    lt IfModule mod headers c gt      Header set Access-Control-Allow-Origin  http   example com   lt  IfModule gt

User · Answer

Be careful on     Header add Access-Control-Allow-Origin       This is not judicious at all to grant access to everybody  It s preferable to allow a list of know trusted host only     Header add Access-Control-Allow-Origin  http   aaa example  Header add Access-Control-Allow-Origin  http   bbb example  Header add Access-Control-Allow-Origin  http   ccc example    Regards

User · Answer

I  1 d Miro s answer for the link to the header-checker site http   www webconfs com http-header-check php  It pops up an obnoxious ad every time you use it  but it is  nevertheless  very useful for verifying the presence of the Access-Control-Allow-Origin header   I m reading a  json file from the javascript on my web page  I found that adding the following to my  htaccess file fixed the problem when viewing my web page in IE 11  version 11 447 14393 0     lt FilesMatch     json    gt     lt IfModule mod headers c gt      Header set Access-Control-Allow-Origin        lt  IfModule gt   lt  FilesMatch gt    I also added the following to  etc httpd conf  Apache s configuration file    AllowOverride All   The header-checker site verified that the Access-Control-Allow-Origin header is now being sent  thanks  Miro     However  Firefox 50 0 2  Opera 41 0 2353 69  and Edge 38 14393 0 0 all fetch the file anyhow  even without the Access-Control-Allow-Origin header   Note  they might be checking IP addresses  since the two domains I was using are both hosted on the same server  at the same IPv4 address    However  Chrome 54 0 2840 99 m  64-bit  ignores the Access-Control-Allow-Origin header and fails anyhow  erroneously reporting      No  Access-Control-Allow-Origin  header is present on the requested   resource  Origin   mydomain   is therefore not allowed access    I think this has got to be some sort of  first   IE is working correctly  Chrome  Firefox  Opera and Edge are all buggy  and Chrome is the worst  Isn t that the exact opposite of the usual case

User · Answer

I have a shared hosting on GoDaddy  I needed an answer to this question  too  and after searching around I found that it is possible    I wrote an  htaccess file  put it in the same folder as my action page  Here are the contents of the  htaccess file   Header add Access-Control-Allow-Origin     Header add Access-Control-Allow-Headers  origin  x-requested-with  content-type  Header add Access-Control-Allow-Methods  PUT  GET  POST  DELETE  OPTIONS    Here is my ajax call         ajax           url   http   www mydomain com myactionpagefolder gbactionpage php      server script to process data         type   POST           xhr  function         custom xhr             myXhr     ajaxSettings xhr                if myXhr upload      check if upload property exists                 myXhr upload addEventListener  progress  progressHandlingFunction  false      for handling the progress of the upload                           return myXhr                       Ajax events         beforeSend  beforeSendHandler          success  completeHandler          error  errorHandler             Form data         data  formData            Options to tell JQuery not to process data or worry about content-type         cache  false          contentType  false          processData  false           See this article for reference   Header set Access-Control-Allow-Origin in  htaccess doesn  39 t work

User · Answer

After spending half a day with nothing working   Using a header check service though everything was working  The firewall at work was stripping them

User · Answer

This should work   Header add Access-Control-Allow-Origin     Header add Access-Control-Allow-Headers  origin  x-requested-with  content-type  Header add Access-Control-Allow-Methods  PUT  GET  POST  DELETE  OPTIONS

User · Answer

I activated the Apache module headers a2enmod headers  and the issue has been solved

[.htaccess] Header set Access-Control-Allow-Origin in .htaccess doesn't work

Examples related to .htaccess

Examples related to mod-rewrite

Examples related to rewrite

Examples related to cors