Setting CORS (cross-origin resource sharing) on Apache with correct response headers allowing everything through

July 30, 2014

Once in a while you need to make a cross-domain request from Javascript, this is something the browser very much dislikes. I’m no expert on CORS, and I feel that all the documentation on it is pretty bad. But I thought, “Anybody can google”, and so I did.

I started off with just adding the Access-Control-Allow-Origin header in my Apache configuration, thinking that it’ll solve my problems. I also decided to set it on wildcard, allowing anything to request resources.

# In my virtualhost config
Header set Access-Control-Allow-Origin "*"

Restart server, reload page, and I was greeted with the normal cross-domain error.

# Chrome developer tools
OPTIONS http://my.example.dev/setting/1316 405 (Method Not Allowed) 

# Firefox developer tools
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://my.example.dev/setting/1316. This can be fixed by moving the resource to the same domain or enabling CORS.

I kept adding config flags until it looked something like this

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Max-Age "1000"
Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

I still got the same error. At this point I started to look more into the error, “OPTIONS http://my.example.dev/setting/1316 405 (Method Not Allowed)” or “OPTIONS Method Not Allowed”, I looked under the network tab and noticed that the request method was “OPTIONS”, so I started digging and as if I understood correctly, this is a “pre-flight” request, basically asking the server for the CORS headers, but without data.

The API I was communicating with was not configured to handle OPTIONS request, nor was it supposed to. I decided I didn’t want to hack on the API code instead I wanted to try and circumvent this through Apache.

I added a small rewrite to the virtualhost configuration, basically responding with a 200 SUCCESS on every OPTIONS request.

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header set Access-Control-Max-Age "1000"
Header set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

Progress! It still didn’t work, but I got a new error;

# Chrome developer tools
XMLHttpRequest cannot load http://my.example.dev/setting/1316. No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://mydevsite.dev' is therefore not allowed access. 

# Firefox developer tools
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://my.example.dev/setting/1316. This can be fixed by moving the resource to the same domain or enabling CORS.

So by looking at the errors, it looks like the “Access-Control-Allow-Origin” response header is missing, but I’ve already added it to my config with a wildcard domain.
The problem occurs because I don’t cleanly respond with the RewriteRule, I actually redirect the request to a 200 SUCCESS which means earlier response flags were removed. All I had to do was set the “Always” flag on my “Header set” rule.

So for my final try, which was successful, my configuration looked like this;

# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

And voilà, everything is playing nicely. Hopefully this can help another unfortunate soul trying to navigate through the pitfalls of CORS.

Please note that I haven’t used this config on a production server, just on local development servers, allowing wildcard domains for CORS will create security issues on your site!

Comments on this subject

Shruts said on August 06, 2014 at 08:31
Hi there,

I am still stuck on this problem from last week. I am a novice developer I mostly deal with HTML CSS and JavaScript and not at the server side.

I am trying to access data from an api. I am using simple $.ajax json request. I am getting same error as you were receiving. I added all headers on ajax call beforesend but still not able to resolve. Finally I used PHP but continued getting error.

I would be grateful if you can show in detail how and where did you write this code in apache.

I wrote in c:\\xampp\apache\conf\httpd.conf just copied and pasted the code as it is.
Then later on I tried on c:\\xampp\apache\conf\extra\httpd-vhost.conf inside the tag

I know it sounds lame but I really don't know how to code on the server.
beije said on August 06, 2014 at 09:13
Are you hosting the API? It's important that the web server which hosts the API responds with these headers.

If you do not own the API server or you can't change the configuration for the API, you'll need to setup a <a href="http://www.benjaminhorn.se/code/apache-reverse-proxy/" title="Apache reverse proxy" target="_blank" rel="nofollow">proxy</a> that acts as a middle man for the API where you can set the appropriate headers.

If your still having trouble getting it to work, you could look at an alternative solution using <a href="http://en.wikipedia.org/wiki/JSONP" target="_blank" rel="nofollow">jsonp</a> which doesn't have the same restrictions as cross-domain requests.

Please let me know if you need further assistance! :)
Julio said on August 12, 2014 at 08:21
Brilliant! I was setting up a small application with phalcon PHP + angularJS and this is what worked for me!

Thanks!!
Happy said on August 20, 2014 at 18:28
Was stuck on this for HOURS!!

Thanks - you saved me :)
Chandra Deep said on October 13, 2014 at 12:17
Hi, I have tried this but it is not working for me.

jquery ajax call syntax:
$.ajax({
url: another_url,
data: input,
type: 'POST',
contentType: 'application/json; charset=utf-8',
dataType: "json",
username: 'username',
password: 'password',
xhrFields: {
withCredentials: true
},
headers: { 'Access-Control-Allow-Origin': '*' },
crossDomain: true,
success: function (xhr, ajaxOptions, thrownError) {
alert('Success');
},
error: function(xhr, ajaxOptions, thrownError) {
alert('Error');
},
});

Apache conf is same as you suggested.
but my apache conf have internal VAS Authentication.

Really need your help.
Thanks in advance.
beije said on October 13, 2014 at 13:46
You didn't mention which error you've received. But I would start by looking at the dev-console and see which of the requests fail (if it's the pre-flight OPTIONS request or if it's the POST request).

I would also remove the headers-property and the crossDomain from you jQuery request, seeing as these shouldn't be needed (and the headers seems to be faulty).

I've never worked with VAS so I'm unable to help you on that part, sorry! (but I don't think that's the problem if it's internal)
Chandra Deep said on October 14, 2014 at 06:43
Thanks for response.

Even i have removed "headers and crossDomain: true", from functions.

Here request is POST.

Error: "NS_ERROR_DOM_BAD_URI: Access to restricted URI denied"

It is not authenticating as far my understanding said.
beije said on October 14, 2014 at 17:17
It does look like you have some kind of problem with your CORS settings, can you confirm that the right response headers are given from the server?
Arun said on October 15, 2014 at 09:31
Hi der,

i am trying to upload image using jquery AJAX. I am using XAMPP. I have added the Headers inside C:\xampp\apache\config\extra\httpd-ssl.config, inside tag. And this is my code. I am facing same issue - 'Cross-Origin Request Blocked'

$.ajax({
url: externalURL,
type: 'POST',
cache: false,
processData:false,
crossDomain: true,
jsonpCallback: 'jsonCallback',
dataType: 'jsonp',
jsonp: 'callback',
jsonpCallback: 'jsonpCallback',
data: $("#multiform").serialize(),
beforeSend: function (xhr)
{
xhr.setRequestHeader("Content-Type","application/json");
xhr.setRequestHeader("Accept","text/json");
},
error: function (xhr, status) {
alert(status);
},
success: function (result) {
alert(result);
},
complete:function(data1){
alert(JSON.stringify(data1));
e.preventDefault();
}
});
e.preventDefault(); //Prevent Default action.

});

My response is JSON.. I really dont know what might be the error.
Thanks
beije said on October 15, 2014 at 22:46
Hi Arun,
I'm not an expert on XAMPP setups, but I'm wondering if you're running actually working against https on your dev machine (considering the config file you mentioned is the ssl config), if you're not, see if you can find another config called httpd.config or something similar which handles the non-secure http requests. If you are indeed using the ssl config, are you able to confirm that the ajax request is making a pre-flight request (that would be the OPTIONS request) and that it's returning the expected response headers?

Looking at the code you've posted you seem to have configured the jquery-ajax request for JSONP, which is a different way to communicate with the server (and doesn't need the CORS settings on the server).
Arun said on October 17, 2014 at 08:58
Thanks BEIJE for your kind response. Will look into it .
vikash said on October 17, 2014 at 15:51
I am using below code ,i just need to get URL data to success.jsp page inside main_content.
$(document).ready(function() {
$("ul.mainmenu li.item ul > li > a").click(function(event){
var path = $(this).attr("href");
event.preventDefault();
jQuery.ajax({
type: "GET",
url: path,
success: function(resp){
$("#main_content").append(resp);
}});
});
});
vikash said on October 17, 2014 at 15:52
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource
shyam said on November 17, 2014 at 06:51
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource..

how to resolve this can any budy help me out this.
shyam said on November 17, 2014 at 06:53
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource
Lukasz Wojciechowski said on January 08, 2015 at 16:43
I must stop by to say THANK YOU : )
I was fighting this problem for several hours already.

Your rewrite trick was what I was missing.

Thanks
beije said on January 08, 2015 at 17:41
I'm happy I could help :)
Giang Pham said on January 31, 2015 at 01:29
Hi,
I'm just wondering where are you adding those lines? I'm fairly new to this server stuff too. Would you add them in the VirtualHost config section of the file in the site-enabled/ folder or site-available/ folder? Thanks.
beije said on January 31, 2015 at 11:21
Hi Giang,
You should add them in the VirtualHost config that's located in sites-available. The folder sites-enabled is where the config will be symlinked once you run "a2ensite example.com.conf".
Jack said on February 12, 2015 at 21:19
Are you able to tell me where I enter this information in the web.config file in IIS 7?
beije said on February 12, 2015 at 21:53
I'm sorry, I don't have the slightest clue, and I don't have a Windows machine with IIS currently available.
Jack said on February 12, 2015 at 22:08
Thats ok, thanks for the reply! Appreciate it
Vladimir said on March 02, 2015 at 15:52
Hello,

Thanks a lot for your article. After few hours of investigation I've found your article and now all works as I expected.
beije said on March 02, 2015 at 15:54
I'm happy it worked out for you! :)
Reza Baiat said on March 03, 2015 at 10:29
ReWriting solved the problem.

very nice! thanks a lot
sandeep said on April 03, 2015 at 08:37
Thanks
Jeff said on April 03, 2015 at 19:59
Could this information be put in a .htaccess file and have the same positive results?
beije said on April 03, 2015 at 23:14
Hi Jeff,
Yes, the above config should be placed in the .htaccess file :)
Michael said on April 28, 2015 at 19:26
Have you gone back and try to reduce it down to it's lowest common denominator? Like taking it down to just:
Header always set Access-Control-Allow-Origin "*"

That in itself should be what's blocking it from working.
Wolfgang said on May 30, 2015 at 13:26
I run into the same error message, when using ajax to access a php page (javascript and php file are both located on same server).

The reason was that I specified the IP address as the url rather than the hostname. This made the Browser believe that the call to the php file is on another server.

So an easy solution:
a) verify javascript and php file are on same server
b) make sure the url in your javascricpt ajax reflects your server url
Amit said on June 03, 2015 at 09:30
Hi,

I read above comment and same issue facing with xampp.I tried and change the configuration in "httpd.conf" but still no luck:(. I already wasted lots of time to just make it "CORS" friendly.

Thanks
Roland L. said on June 03, 2015 at 13:14
Hi,

I have a really interesting scenario. I've added CORS support to my server (Apache 2.2.16 with 2 Tomcats behind mod_jk (active/passive)). A client wants to do a cross-domain XHR, but the preflight OPTIONS request should *not* be forwarded to the Tomcats, because the backend can't handle it. I tried using mod_rewrite like you also described. I get the 200 from Apache, but it adds a HTML body ("The server encountered an internal error or misconfiguration and was unable to complete
your request."). It seems to me that Apache is doing "something" with the response after mod_rewrite said that it should be a 200.

I don't know if it's understandable, so here's an example:

mod_rewrite:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

The request:

curl -v -X OPTIONS "https://myserver.local.lan/foo/api?some=param" -H "Access-Control-Request-Method: POST" -H "Origin: myother.server.lan" -H "Access-Control-Request-Headers: Authentication, X-CUST-Header1, X-CUST-Header2, Content-Type"

Result:

< HTTP/1.1 200 OK
< Date: Wed, 03 Jun 2015 09:20:13 GMT
* Server Apache/2 is not blacklisted
< Server: Apache/2
< Access-Control-Allow-Origin: *
< Access-Control-Allow-Methods: GET, HEAD, POST
< Access-Control-Allow-Headers: Accept, Authentication, Authorization, Content-Encoding, ..., X-CUST-Header1, X-CUST-Header2
< Access-Control-Max-Age: 3600
< Vary: Accept-Encoding
< Content-Encoding: gzip
< Content-Length: 386
< Keep-Alive: timeout=5, max=250
< Connection: Keep-Alive
< Content-Type: text/html; charset=iso-8859-1
<

200 OK

OK
The server encountered an internal error or
misconfiguration and was unable to complete
your request.
Please contact the server administrator,
root@myserver.local.lan and inform them of the time the error occurred,
and anything you might have done that may have
caused the error.
More information about this error may be available
in the server error log.

Apache/2 Server at myserver.local.lan Port 443

Expected Result:

HTTP/1.1 200 OK without the HTML body.

Why does Apache "attach" an Internal Server Error ErrorDocument?

If I use [R,L] (R=302) I get the standard "Document moved here: ..." text and for [R=304,L] I get no body.

Can somebody explain to me what mod_rewrite/Apache are doing *after* the RewriteRule has been processed and the return code is "determined"?

The cross-origin request works BTW, this is only something I noticed while working on the server config. It simply "looks" bad if you have the developer console is open. The user should not see the internal server error, because the response is "hidden" between the browser and JS.
Diego said on June 10, 2015 at 11:09
Awesome job, thanks a lot for this valuable information!
Fernando Freitas Alves said on June 16, 2015 at 15:22
Thank you for your awesome post!

Do you have another one talking about how to use it on a production server?
LuisFurtado said on June 23, 2015 at 21:34
Thanks, It worked perfectly for me!
blucodez said on June 26, 2015 at 09:28
im a complete noob to programming. where should i put the rewrite? some one help please
beije said on June 26, 2015 at 17:10
Hi blucodes,
You should put the rewrite in the .htaccess file in your webroot, assuming you're using apache to serve your pages.
Akshay Rokade said on July 07, 2015 at 13:33
Hi ,
I am new to handle this server stuff, I face same error.
What I know that I have file httpd.conf(path-- /usr/local/zend/apache2/conf)
All 10 line you specified for solution need to be place in same file ?
beije said on July 07, 2015 at 13:52
Yes, you should place all the lines in your config file. It might be worthwhile to read through some of the manual, since you might have to modify the config for whatever needs you have.
Akshay Rokade said on July 07, 2015 at 14:45
Thank you beije for reply...
Paul said on July 10, 2015 at 00:27
Very much appreciated your post, Thank you!! It really helped me cut through some difficult stuff.

I wanted to let you are whomever know, that after I got everything working, I went back and removed the the following code as it was not actually needed after all.

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

I say "after all" acknowledging the idea that it was this code that permitted us to be able to "see" some sort of response in order to work through things to the eventual set up that is actually required.

Thanks you again!!
beije said on July 10, 2015 at 06:34
@Paul Hi, I'm glad that the post gave you some help.

While OPTIONS aren't needed for all applications, it is needed if your sending data with some specific types of mimetype (for example application/json). The OPTIONS method is used to verify CORS with a preflight request that checks that CORS is enabled and allowed on that domain. (if there was no preflight, a request with side effects might go through to the backend, but the frontend wouldn't get a response).

In your case it might've been that you didn't need it, if you don't use preflight, or your backend may already respond on the OPTIONS method.
Chandan Garg said on July 10, 2015 at 12:55
Very Helpful. Thanks :)
Akshay Rokade said on July 20, 2015 at 10:36
Hi beije,
I tried with copy & paste of all 10 line in file httpd.conf file as I mentioned in my above comments but It won't work for me, I am still getting error of cross origin request blocked. Can you please guide in detail.
della said on July 24, 2015 at 03:49
Great post. Made the changes to the apache config file httpd.conf and viola! It worked...ONCE! Only once. I'm back to square one with "..cannot load file...Cross origin requests are..." Has anyone else run into this? Does anyone have a "fix..workaround"?
Curtis Gibby said on July 31, 2015 at 23:49
This worked perfectly for me when trying to fix CORS problems with Swagger UI! Many thanks!
Felipe Reis said on August 13, 2015 at 19:16
You just save my day! My app works in a server and doesn't work in another. I did it in the other and now it's working like a charm. Thanks!
John S. said on August 26, 2015 at 23:10
Great post! Thanks for sharing it. But I have a question. I set this up on Apache and it works fine in Chrome but results in a CORS error in Firefox: "Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://xxxxxxxxx:8013/. (Reason: CORS request failed)."

Anyone have any ideas?

Thanks again . . .
Crisan Zoica said on September 06, 2015 at 21:17
Regards from across the ocean!

What you wrote here is pure gold, but CORS is FUBAR.
I kind of understand its power, but setting it up it's driving me crazy.
I'm trying to use CORS to GET an xml file from w3school.com website.
Here is my code:

table, th, td { border: 1px solid black; border-collapse:collapse; }
th, td { padding: 5px; }

var createCORSRequest = function(method, url) {
var xhr = new XMLHttpRequest();
if ("withCredentials" in xhr) {
// Most browsers.
xhr.open(method, url, true);
} else if (typeof XDomainRequest != "undefined") {
// IE8 & IE9
xhr = new XDomainRequest();
xhr.open(method, url);
} else {
// CORS not supported.
xhr = null;
}
return xhr;
};

var url = 'http://www.w3schools.com/xml/cd_catalog.xml';
var method = 'GET';
var xhr = createCORSRequest(method, url);

xhr.onload = function() {
// Success code goes here.
};

xhr.onerror = function() {
// Error code goes here.
};

xhr.send();

And here is the error i get in Firefox, using Firebug:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.w3schools.com/xml/cd_catalog.xml. (Reason: CORS header 'Access-Control-Allow-Origin' missing).

I have setup apache for CORS following your example.

What i dont understand from the error, is my server the issue, not allowing CORS or is w3school blocking CORS requests-in other words, is w3school not CORS enabled?

I read CORS tutorials a few times, but it just wont stick to me...

I will be forever in your debt if you can help me on this one.

Thanks in advance!
beije said on September 07, 2015 at 06:55
Hi Crisan,
The problem you're seeing is because the CORS headers need to be set on w3school, not on your server.

The only way for you to fetch that file is to proxy the file through your own server.
alaa said on September 08, 2015 at 15:01
It is very helpful

Thanks :)
FarhanMaba said on October 13, 2015 at 06:34
Thank you very much sir. Its working perfectly fine for cross domain websites. I mean I'm testing the web app on local host and I'm accessing the the data from a hosted server. its working great.

But the server does not respond when I install the same web app build through PhoneGap on my cell phone. I've enabled CORS as you mentioned. but its not working.

I've written my front end in HTML, CSS and JavaScript and I'm calling my server side code through AJAX call without using JSON. what should i do? your help would be great. I'm stuck on this issue for days. Thanks.
beije said on October 14, 2015 at 16:45
Hi FarhanMaba ,
Do you have the network permissions enabled for the app? Are you able to make any request to an outside resource?
Venkatesh said on November 06, 2015 at 12:46
It is good work around with debugging and information about why something not worked. Really helpful for me to get rid of the CORS. Thanks a lot for clean post with explanation.
Eduardo said on November 06, 2015 at 14:28
Hello: Please give me a hand !!!. I am getting this error message when I load my web page and some buttons and things don´t load. I am in a Windows Server with PHP 5.3 (I don´t know if that´s the problem, because it loads ok in Linux servers with PHP 5.4). Thanks for any help !!! This is the error: 12:41:48.002 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://www.exampledomain.com/muestra/assets/css/skin.less. (Reason: CORS header 'Access-Control-Allow-Origin' missing).1
Wesley said on November 06, 2015 at 17:27
Thanks! I have been looking hours in code and the answer was on the server.

Thanks 1.000.000 times!!!
S Rao said on December 04, 2015 at 01:38
Thanks a Ton ! You saved hours (or days) of my precious time !
Chuck said on December 23, 2015 at 23:05
Hey!

I put exactly what you said in the .htaccess at the root of the folder bring served and I started seeing 500 errors. Did the syntax change for apache 2.4.7?
J Haag said on January 22, 2016 at 16:52
I'm using apache and kept seeing these errors in Chrome relating to CORS :

XMLHttpRequest cannot load The request was redirected to 'url', which is disallowed for cross-origin requests that require preflight.

and

XMLHttpRequest cannot load 'url' The 'Access-Control-Allow-Origin' header contains multiple values '*, *', but only one is allowed. Origin 'url' is therefore not allowed access.

After some digging I found out that I had multiple .htaccess files with the same directives. I got rid of the duplicate entries for Access-Control-Allow-Origin and it solved the problem.

Also, I used "always set" instead of "add":

Header always set Access-Control-Allow-Origin "*"
42jones said on February 04, 2016 at 11:01
Hey :)

Is this solution secure ?

thanks
beije said on February 04, 2016 at 11:12
Hi 42jones,
No, this solution should only be used for dev envs. You can modify the example to restrict to certain domains, but depending on the service, I wouldn't recommend opening it up to all domains (wildcard).
rk said on May 12, 2016 at 06:24
Hi,
I have exact same configuration in my Apache except below two changes
I have
1. Header always set Access-Control-Allow-Origin "https://domain1.example.com"
2. Header always set Access-Control-Allow-Credentials "true"
This configuration working fine for the requests from domain1. Now i got a requirement to allow domain2. So tried below options to set multiple domains
Header always set Access-Control-Allow-Origin "*"
- with this i am getting "Reason: CORS header 'Access-Control-Allow-Origin' does not match '*'" for the requests from domain 1 and domain2

Header always set Access-Control-Allow-Origin "https://domain1.example1.com,https://domain2.example.com"
- This also throwing similar error "Reason: CORS header 'Access-Control-Allow-Origin' does not match 'https://domain1.example1.com,https://domain2.example.com'"

Getting similar error when domains provided with space and | delimiters.
If I add separate entries like below.
Header always set Access-Control-Allow-Origin "https://domain1.example.com"
Header always set Access-Control-Allow-Origin "https://domain2.example.com"

It is always taking last entry and requests from other domain are failing

Tried all options but nothing worked.
It would be great if you can tell me what needs tp be added/modified to allow requests from multiple domains
I am not sure if Header always set Access-Control-Allow-Credentials "true" is limiting to add multiple domains. Wanted to remove this but that requires a change for domain1 application as they are already consuming the REST API.

Thanks,
Anand said on June 17, 2016 at 03:37
Worked like a charm!
Thanks so much for this great post
Anand Vadul said on June 19, 2016 at 13:35
Update:
Realized this set does not end the rewrite after the L flag. This results in a page with an error being returned. After a couple of frustrating hours of wading through Rewrite code, we can do this with allowing Apache to handle OPTIONS as is but be a proxy for all other requests

Here is how the config looks now:

# Handle GET and POST(or everything else) via proxy, handle OPTIONS locally
RewriteEngine On

Header always set Access-Control-Allow-Origin "http://YOUR.LOCALURL.COM"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always set Access-Control-Allow-Credentials "true"

# Added a rewrite to respond normally (and not forward to host) on OPTIONS request.
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* - [S=1]
RewriteRule ^/(.*)$ https://YOUR.PROXY.com/$1 [proxy]

Hope this helps for some other lost boy/girl in neverland :)
Aron said on June 26, 2016 at 15:25
Worked perfect for me - exactly what I was looking for. Thanks!
Mayra Camacho said on July 06, 2016 at 08:09
Hi beije!!!.

I have the same problem, but the server where I want to send the request is from my client, and I have my index.html in several mobile devices.
Then how can I specify the server origin in the line:
Header always set Access-Control-Allow-Origin "https://mydevice.com"

PLEASE, PLEASE, PLEASE!!!

Thanks in advance for your reply.
Moeed Nisar said on July 12, 2016 at 22:05
Hi there,

i just copy & paste the below code in my httpd.conf file and restart the wamp server, its not getting started and stuck with a yellow icon.

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always set Access-Control-Allow-Credentials "true"

# Added a rewrite to respond normally (and not forward to host) on OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

when i remove the above code from httpd.conf file, wamp server started perfectly

please help......

Thanks in advanced
Moeed Nisar said on July 12, 2016 at 22:18
Let me explain what i am trying to achive

i am sending a corss-domain request from ionic 2 application. at first the request sends to a php file,then the php file send a request to facebook graphi api to get the data. i am trying to send a response to ionic 2 application which i get from facebook api .

when i hit the requested php url directly from the browser it gives me a valid json response. but when i send a request from ionic 2 app. it gives me an error(unexpected end of json input).

after googling for 2-3 days, i finally noticed that when i send a request to php file from ionic 2 application, it does not sends a request to facebook api.

but when i copy/paste the url of php file in the browser, it gives me a proper json response.

i know the scenario is a bit confusing, but i am stuck with it for 3-4 days.

please advice me to get rid of this issue..

thanks
AS said on September 23, 2016 at 17:19
Thankkkkkk Youuuuu!!!!

I had been struggling with the CORS issue for a long time and after hours of googling finally came across your solution.

A big thumbs up for not only discussing the solution but also for sharing exactly what needs to be pasted. It really helps build an understanding for novice folks.
Nigel Wheeler said on November 01, 2016 at 14:49
Mate,
just spent 24 solid hours of frustration trying to get past a 400 error from chrome pre-flight if I attempted to add any form of custom header (for token Authorization) for connecting to my magento 2 rest api using angular 2 cross domain (CORS/XHR).
Added the re-write rule and bingo.
You are my current hero :)
Hope the keywords in this comment help Mr. (or Mrs.) Google get this post to the top of the search results for anyone else struggling in the position I've just been in.
Now on to the next problem ;)
hannes fuchs said on November 11, 2016 at 08:21
Thanks, it solved my problems (with a little change - additional condition).

https://github.com/owncloud/core/issues/26350

apache Changes for working Windows Explorer Webdav on https owncloud behind revere proxy:

RewriteEngine On
RewriteCond %{REQUEST_URI} ^(/)$ [NC]
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
William said on December 23, 2016 at 09:03
Could you help me please. I'm trying to create an audio visualization program on Codepen (http://codepen.io/www139/pen/mEGpmW?editors=0010). The audio loads from my web server running apache in Ubuntu. You'll notice the error MediaElementAudioSource outputs zeroes due to CORS access
restrictions for [audio file URL].
I've asked a question here (http://askubuntu.com/questions/863786/apache-2-4-18-configuring-cors-for-audio-file-sharing-to-another-domain) and two others on Stackoverflow. I've been trying to figure this out for hours spanning over several months.
Trovalost said on December 29, 2016 at 21:46
Great help from this post for my new Ionic app, thanks for sharing :-)
Phippsy said on January 05, 2017 at 02:48
In my case, I simply hadn't enabled the headers module in apache, which can be easily done from the command line:

a2enmod headers

then restart apache:

service apache2 restart
praths said on January 05, 2017 at 20:02
Hi All,

i'm trying configure CORS on my apache. i have a similar issue, can some help me.
Apache version 2.4.16

I have configured CORS setup in config file as below

Header set Access-Control-Allow-Origin "https://stage.donatexxxxx"
#Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "Cache-Control, If-Modified-Since, X-Requested-With, Content-Type, Origin, Authorization, Accept, Client-Security-Token, Accept-Encoding, Pragma"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

response out put:
allow →OPTIONS,GET,HEAD,POST
content-length →0
content-type →application/json
date →Thu, 05 Jan 2017 18:16:08 GMT
p3p →CP="NON CUR OTPi OUR NOR UNI"

Apache is not allowing below on headers

Access-Control-Allow-Credentials →true
Access-Control-Allow-Methods →GET, POST
Access-Control-Allow-Origin →*
Cache-Control →proxy-revalidate

Appreciate your help!
sideeq shafi rather said on January 16, 2017 at 07:31
i have added the said snippet in my .htaccess file but i am getting
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost:8081' is therefore not allowed access.
my json code
$.ajax({
cache:false,
//crossDomain:true,
type:'POST',
url:"api url",
beforeSend: function(jqXHR){jqXHR.setRequestHeader('key', 'value');},
//headers: JSON.stringify(header),
contentType: "application/json",
data: JSON.stringify(req),
dataType: "application/json",
jsonp: false,
success: function(data){
console.log(JSON.parse(JSON.stringify(data)));
},
error: function(jqxhr, data, error){
console.log(jqxhr);
console.log(JSON.parse(JSON.stringify(data)));
console.log(Error);
}
});
sideeq shafi rather said on January 17, 2017 at 12:07
voila!!
it worked
Thank you so much for this amazing article
super like
Olaf Martens said on February 18, 2017 at 13:26
Exactly what I needed!
Since I need an error reporter to report any problems from http to https, I somehow had to defeat this limitation of XMLHttpRequest - and this did the trick.
Alexander said on April 07, 2017 at 12:38
Using the wildcard in "Access-Control-Allow-Origin *" is an EXTREMELY BAD advise.

Nobody will read the footer of the current article, as people will just copy paste the config there and not think about it.

You always must put in explicit hostnames in it, otherwise you completely open up your site to attacks.
Joshua said on May 18, 2017 at 02:06
Thanks man. u just saved me
Andres said on May 30, 2017 at 10:42
Hi.
Where, exactly, I must to put the following lines:
# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

Thanks in advance
Rodrigo Laisequilla Ramos said on July 23, 2017 at 07:07
Thank you very much for your help, I was struggling with this issue for more than 2 days, putting those lines under the .htaccess located on the web root directory made the trick!
Awesome!
Mehshad Hamza said on July 25, 2017 at 15:23
Superb! worked like a charm. I was badly in need of this :)
edwin said on September 16, 2017 at 06:00
article from 2014, but still in use in 2017. Great article
Kailash Kumar P Jain said on October 04, 2017 at 09:12
Thank you everyone for their support .The fix is working perfectly fine.
Ammu said on October 26, 2017 at 08:59
Hi,
I have the same issue while calling my API from http://editor2.swagger.io.
Noticed: the request method is “OPTIONS” with 406 Not Acceptable status code

error:
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/users/password/. (Reason: CORS preflight channel did not succeed).

@ http.conf file I added the following code

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "X-Requested-With, application/json, Origin, Authentication, Accept, Client-Security-Token, Accept-Encoding"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"

i am also tried with your code
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

Please help me ...

Thanks in advance
Elton said on November 04, 2017 at 07:57
Purging the CDN as well helped me after setting only the following:-

# Allow cross-domain fonts

Header always set Access-Control-Allow-Origin "https://cdn.exampledomain.com"

...and the "*" wildcard also worked when I tested. All was done in the VirtualHost's conf file for the domain ( in 'sites-available' directory under /etc/apache2 ) and wasn't done in any .htaccess file (which I don't use)

A copy of the unexpired files (fonts, in my case) had the old headers that were missing the setting and nothing was working for me until I woke up to it. The purge refreshed the files in the CDN with ones having the amended headers. ...And voilà! All good. :)

I hope this helps someone. :)
Elton said on November 04, 2017 at 07:59
...My reply was stripped of some config file mark-up. Hence the "# Allow cross-domain fonts" comment in the middle of nowhere. :-P
mark said on November 07, 2017 at 17:26
Change the return to a 204 instead of a 200, and you don't get the extra body in the response.

Thanks for this, you saved me hours of struggle!
Amedeo said on November 30, 2017 at 11:56
Hi, where i can put # Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

In httpd.conf or httpd-vhosts.conf? And under which tag?

Thank you.
Vinicius said on December 02, 2017 at 00:15
I added this lines:

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

But now i'm getting this problem:

Job for apache2.service failed because the control process exited with error code. See "systemctl status apache2.service" and "journalctl -xe" for details.

What i have to do?
Guillaume said on January 11, 2018 at 19:16
Many many thanks ....

I was really blocked for days with it and ... 5 minutes after reading your articles ... everything was working ....

Many many many tks to you !!!
johnny said on January 19, 2018 at 05:06
hi master, what location to place those configures.?
Thank ..!
afrez said on February 02, 2018 at 02:49
Buddy u just save my arse. Thanks!
chantra said on February 23, 2018 at 09:22
3 days that i tried to search and did but last wow it get work.

Thanks!
nvrhood said on May 23, 2018 at 16:35
Hi guys!

As mentioned before, granting access to any sites ("*") is pretty bad idea and at the same time you're unable to specify multiple domains for Access-Control-Allow-Origin header, so you have to follow a tricky path to solve the task.
Here is one of such solutions, that's used for site that serves its files with a CDN (so, name of the serving domain doesn't match to the site's name) and site can be accessible with several names:

SetEnvIf Origin "(https?:\/\/(cdn\.site\.com|www1\.site\.com|www2\.site\.com|special\.site\.com))$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin

Header always set Access-Control-Allow-Headers "origin, x-requested-with, content-type, authorization, accept"
Header always set Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

as you can see Access-Control-Allow-Origin header will have, for example, value "https://cdn.site.com" if Origin header in the request has "https://cdn.site.com". The same for www1.site.com, |www2.site.com, and special.site.com.
Adjust the regular expression as needed.
Melchicédec NDUWAYO said on July 10, 2018 at 01:55
Hi, I am getting this issue by sending post requests to apache livy from a java web application using apache tomcat. Can you please tell me where I can put your code in order to overcome that issue?
Thank you!
Eric said on August 21, 2018 at 15:44
for me this one works:

1. enable header_module in wamp or mamp or...

2. and copy into in your backend code rest htaccess file:

# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Header always set Access-Control-Expose-Headers "*"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
Andreas Alme said on October 30, 2018 at 12:14
Hi! I have a similar setup on my Apache 2.4 server but I get a 403 Forbidden - forbidden by rule response. What could this mean? I use fetch like this:
fetch(url, {
signal: signal, (from AbortController)
method: "POST",
headers: {
"Content-Type": "application/json"
},
body: body
});
Josef said on December 13, 2018 at 01:13
Thanks, that rewrite helps!
Gamal Ali said on December 13, 2018 at 09:23
could you please help me in configuring the parameters on weblogic server that my rest api hosted on
Leslie said on February 06, 2019 at 12:05
This is very good! I am going to try it, but I am concerned about security. I just need something that will allow my website to load images from other websites, with a different url. Do you know if it is possible to say something like: "Ok you can download images from some places but only from Amazon S3" for instance.
Steve said on February 11, 2019 at 15:47
Thanks!! I just want to confirm that this works fine for developing with Ionic/Angular as well. It has made changing servers so much easier. Cheers!
Faith Adekogbe said on March 18, 2019 at 08:57
Thanks so much, this rescued me after 8 hours or gruesome debugging
Cristopher said on April 09, 2019 at 19:29
Thank you!!! You're the best. I have been searching a answer for days. You saved me.
mohcine said on April 16, 2019 at 13:32
is not workin form me help plz
Eric Johnson said on May 22, 2019 at 20:36
I'm getting the 403 forbidden error as well, like Andreas Alme
Mehdi Boutafa said on June 02, 2019 at 11:57
hello, you saved me too! good tips for a boring issue : api call.
Thank you.
Fabio said on June 12, 2019 at 09:58
hello, after several tests and lost hours here is my working setup:

# Always set these headers.
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token, crossdomain, access-control-allow-origin, x-csrf-token"

# Added a rewrite to respond with a 200 SUCCESS on every OPTIONS request.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

To notice value in Access-Control-Allow-Headers!!

Thx!
Espen H said on July 17, 2019 at 11:44
You should be aware that you have now effectively turned off any CORS protection in the browser, meaning anyone can load data from your domain into their page, even phishing sites etc.
Roberto Centeno said on August 23, 2019 at 05:10
I'm developing a Wordpress site with AMPPS on a local development server and I was getting a problem with Font Awesome being blocked by CORS policy and your post solved the issue!

Thanks!
Federico said on August 28, 2019 at 01:21
You are the MAN!

Thank you very much. I never faced issues with CORS because I always worked with one single server (in local), now with apache + react wathever node http server on port 3000, I've set the same hostname for both, but nothing. ....

So your solution saved me! Now I can continue. Thank you again.
Ron said on November 01, 2019 at 16:32
Great article!
Every other site just mentions that "you must make sure that OPTIONS always return 200"
And mine returns 401 as a password is required for DAV.

The part everyone is not mentioning,
--
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
--
did the trick.

Thanks an awfull lot!

Ron

code

Setting CORS (cross-origin resource sharing) on Apache with correct response headers allowing everything through

Tags

Share

Comments on this subject

Related posts

One development virtualhost config to rule them all (for apache2)

Realtime logging

WordPress Gutenberg Quick Start (with useful links)

Motion detection with Javascript and a web camera

Javascript RSS parser

Part 2: CPU intensive javascript computations without blocking the single thread