How to enable CORS in ASP NET Core

Question

I am trying to enable cross origin resources sharing on my ASP NET Core Web API  but I am stuck    The EnableCors attribute accepts policyName of type string as parameter       Summary         Creates a new instance of the Microsoft AspNetCore Cors Core EnableCorsAttribute        Parameters       policyName         The name of the policy to be applied  public EnableCorsAttribute string policyName     What does the policyName mean and how can I configure CORS on an ASP NET Core Web API

User · Answer

Got this working with  Net Core 3 1 as follows  1 Make sure you place the UseCors code between app UseRouting    and app UseAuthentication               app UseHttpsRedirection             app UseRouting            app UseCors  CorsApi             app UseAuthentication            app UseAuthorization             app UseEndpoints endpoints   gt                endpoints MapControllers                  2 Then place this code in the ConfigureServices method  services AddCors options   gt                        options AddPolicy  CorsApi                   builder   gt  builder WithOrigins  http   localhost 4200    http   mywebsite com                AllowAnyHeader                AllowAnyMethod                   3 And above the base controller I placed this   EnableCors  CorsApi     Route  api  controller      ApiController  public class BaseController   ControllerBase   Now all my controllers will inherit from the BaseController and will have CORS enabled

User · Answer

All the workaround mentioned above may work or may not work  in most cases it will not work  I have given the solution here   Currently I am working on Angular and Web API  net Core  and came across CORS issue explained below  The solution provided above will always work  With  OPTIONS  request it is really necessary to enable  Anonymous Authentication   With the solution mentioned here you don t have to do all the steps mentioned above  like IIS settings   Anyways someone marked my above post as duplicate with this post  but I can see that this post is only to enable CORS in ASP net Core  but my post is related to  Enabling and implementing CORS in ASP net Core and Angular

User · Answer

If you are hosting on IIS  one possible reason is you are getting this is because IIS is blocking OPTIONS verb  I spent almost an hour because of this   One telltale indication is you are getting 404 error during OPTIONS request   To fix this  you need to explicitly tell IIS not to block OPTIONS request   Go to Request Filtering     Make sure OPTIONS is allowed     Or  just create a web config with the following setting    lt system webServer gt       lt security gt           lt requestFiltering gt               lt verbs gt                   lt remove verb  OPTIONS    gt                   lt add verb  OPTIONS  allowed  true    gt               lt  verbs gt           lt  requestFiltering gt       lt  security gt   lt  system webServer gt

User · Answer

Step 1  We need Microsoft AspNetCore Cors package in our project  For installing go to Tools -  NuGet Package Manager -  Manage NuGet Packages for Solution  Search for Microsoft AspNetCore Cors and install the package   Step 2  We need to inject CORS into the container so that it can be used by the application  In Startup cs class  let   s go to the ConfigureServices method and register CORS     So  in our server app  let   s go to Controllers -  HomeController cs and add the EnableCors decorator to the Index method  Or your specific controller and action      For More Detail Click Here

User · Answer

Specifically in dotnet core 2 2 with SignalR you must change    WithOrigins  http   localhost 3000   or    SetIsOriginAllowed isOriginAllowed      gt  true    for all origins   instead  AllowAnyOrigin   with  AllowCredentials    https   trailheadtechnology com breaking-change-in-aspnetcore-2-2-for-signalr-and-cors   https   github com aspnet AspNetCore issues 4483

User · Answer

You have to configure a CORS policy at application startup in the ConfigureServices method   public void ConfigureServices IServiceCollection services        services AddCors o   gt  o AddPolicy  MyPolicy   builder   gt                builder AllowAnyOrigin                   AllowAnyMethod                   AllowAnyHeader                             The CorsPolicyBuilder in builder allows you to configure the policy to your needs  You can now use this name to apply the policy to controllers and actions    EnableCors  MyPolicy      Or apply it to every request   public void Configure IApplicationBuilder app        app UseCors  MyPolicy                        This should always be called last to ensure that        middleware is registered in the correct order      app UseMvc

User · Answer

you have three ways to enable CORS   In middleware using a named policy or default policy  Using endpoint routing  With the  EnableCors  attribute   Enable CORS with named policy  public class Startup       readonly string CorsPolicy    quot  corsPolicy quot        public void ConfigureServices IServiceCollection services                services AddCors options   gt                        options AddPolicy name  CorsPolicy                                builder   gt                                                                   builder AllowAnyOrigin                                          AllowAnyMethod                                          AllowAnyHeader                                          AllowCredentials                                                              services AddResponseCaching            services AddControllers               public void Configure IApplicationBuilder app  IWebHostEnvironment env                app UseRouting             app UseCors CorsPolicy               app UseResponseCaching             app UseAuthorization             app UseEndpoints endpoints   gt                        endpoints MapControllers                          UseCors must be called before UseResponseCaching when using UseResponseCaching   Enable CORS with default policy  public class Startup       public void ConfigureServices IServiceCollection services                services AddCors options   gt                        options AddDefaultPolicy                  builder   gt                                         builder AllowAnyOrigin                                          AllowAnyMethod                                          AllowAnyHeader                                          AllowCredentials                                             services AddControllers               public void Configure IApplicationBuilder app  IWebHostEnvironment env                app UseRouting             app UseCors             app UseAuthorization             app UseEndpoints endpoints   gt                        endpoints MapControllers                         Enable CORS with endpoint public class Startup       readonly string CorsPolicy    quot  corsPolicy  quot        public void ConfigureServices IServiceCollection services                services AddCors options   gt                        options AddPolicy name  CorsPolicy                                builder   gt                                                                    builder AllowAnyOrigin                                          AllowAnyMethod                                          AllowAnyHeader                                          AllowCredentials                                                           services AddControllers               public void Configure IApplicationBuilder app  IWebHostEnvironment env                app UseRouting             app UseCors             app UseAuthorization             app UseEndpoints endpoints   gt                        endpoints MapControllers                         RequireCors CorsPolicy                       Enable CORS with attributes you have tow option   EnableCors  specifies the default policy   EnableCors  quot  Policy String  quot    specifies a named policy

User · Answer

Based on Henk s answer I have been able to come up with the specific domain  the method I want to allow and also the header I want to enable CORS for   public void ConfigureServices IServiceCollection services        services AddCors options   gt           options AddPolicy  AllowSpecific   p   gt  p WithOrigins  http   localhost 1233                                                       WithMethods  GET                                                       WithHeaders  name          services AddMvc        usage    EnableCors  AllowSpecific

User · Answer

In case you get the error  quot No  Access-Control-Allow-Origin  header is present on the requested resource  quot  Specifically for PUT and DELETE requests  you could try to disable WebDAV on IIS  Apparently  the WebDAVModule is enabled by default and is disabling PUT and DELETE requests by default  To disable the WebDAVModule  add this to your web config   lt system webServer gt     lt modules runAllManagedModulesForAllRequests  quot false quot  gt       lt remove name  quot WebDAVModule quot    gt     lt  modules gt   lt  system webServer gt

User · Answer

Applies to  NET Core 1 and  Net Core 2  further down   If using  Net-Core 1 1  Unfortunately the docs are very confusing in this specific case  So I ll make it dead-simple    Add Microsoft AspNetCore Cors nuget package to your project In ConfigureServices method  add services AddCors    In Configure method  before calling app UseMvc   and app UseStaticFiles    add   app UseCors builder   gt  builder      AllowAnyOrigin        AllowAnyMethod        AllowAnyHeader        AllowCredentials        That s it  Every client has access to your ASP NET Core Website API     If using  Net-Core 2 0   Add Microsoft AspNetCore Cors nuget package to your project in ConfigureServices method  before calling services AddMvc    add    services AddCors options   gt                options AddPolicy  AllowAll               builder   gt                                builder                  AllowAnyOrigin                     AllowAnyMethod                    AllowAnyHeader                    AllowCredentials                              Important  In Configure method  before calling app UseMvc    add  app UseCors  AllowAll     AllowAll is the policy name which we need to mention in app UserCors  It could be any name

User · Answer

You have to configure in Startup cs class     services AddCors options   gt                        options AddPolicy  CorsPolicy                   builder   gt  builder AllowAnyOrigin                    AllowAnyMethod                    AllowAnyHeader                    AllowCredentials

User · Answer

public void ConfigureServices IServiceCollection services        services AddCors options   gt                options AddPolicy  quot AllowAnyOrigin quot               builder   gt  builder              AllowAnyOrigin                AllowAnyMethod                AllowAnyHeader                  services Configure lt MvcOptions gt  options   gt            options Filters Add new CorsAuthorizationFilterFactory  quot AllowAnyOrigin quot

User · Answer

Some troubleshooting tips  after I managed to waste two hours on the most trivial CORS issue   If you see CORS policy execution failed logged    Don t assume that your CORS policy is not executing properly  In fact  the CORS middleware works  and your policy is executing properly  The only thing this badly worded message means is that the request s origin doesn t match any of the allowed origins  see source   i e  the request is disallowed   The origin check  as of ASP NET Core 5 0  happens in a very simple way    i e  case-sensitive ordinal string comparison  see source  between the strings you provided via WithOrigins   and what exists in HttpContext Request Headers Origin    CORS can fail if you set an allowed origin with a trailing slash    or if it contains uppercase letters   In my case I did in fact accidentally copy the host with a trailing slash

[c#] How to enable CORS in ASP.NET Core

Examples related to c#

Examples related to asp.net-core