Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to prevent unauthorized access to resources from different origins. By default, web browsers restrict web pages from making requests to a different domain than the one that served the web page. This is called the same-origin policy. CORS is a W3C specification that defines a way for a server to allow specific origins to access resources on its domain.
Microsoft.AspNetCore.Cors is a middleware component provided by the ASP.NET Core framework to help developers implement and manage CORS policies in their web applications.
In this article, we will cover the following topics:
CORS is a mechanism that allows web applications to request resources from a different domain. This is done by adding specific HTTP headers to the response, allowing the browser to determine if the request should be allowed or blocked.
CORS policies are defined on the server-side and can be configured per action, per controller, or globally for the entire application. The browser sends a preflight request to the server to check if CORS is enabled and if the request is allowed. The server responds with the appropriate CORS headers, and the browser decides whether to proceed with the actual request or block it based on the response headers.
To enable CORS in your ASP.NET Core application, follow these steps:
Install the Microsoft.AspNetCore.Cors
NuGet package, if it’s not already included in your project.
In the ConfigureServices
method of the Startup
class, call the AddCors
method, which adds the CORS services to the dependency injection container. You can also define a named CORS policy by using the AddPolicy
method:
public void ConfigureServices(IServiceCollection services)
{
services.AddCors(options =>
{
options.AddPolicy("MyCorsPolicy", builder =>
{
builder.WithOrigins("http://example.com")
.AllowAnyHeader()
.AllowAnyMethod();
});
});
}
Configure
method of the Startup
class, call the UseCors
method to add the CORS middleware to the request pipeline. Make sure to put it before any other middleware that needs to handle CORS:public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
app.UseCors("MyCorsPolicy");
// ...
}
That’s it! Now your application has CORS enabled with a basic policy allowing requests from http://example.com
.
You can also apply CORS policies to specific controllers or actions by using the [EnableCors]
attribute:
[EnableCors("MyCorsPolicy")]
public class MyController : ControllerBase
{
// ...
}
[EnableCors("AnotherCorsPolicy")]
[HttpGet]
public IActionResult Get()
{
// ...
}
By default, credentials are not allowed in CORS requests. To allow credentials, use the AllowCredentials
method:
builder.WithOrigins("http://example.com")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials();
To expose specific response headers to the client, you can use the WithExposedHeaders
method:
builder.WithOrigins("http://example.com")
.AllowAnyHeader()
.AllowAnyMethod()
.WithExposedHeaders("Custom-Header");
If you encounter issues with CORS in your application, consider the following tips:
CORS is an essential security feature for modern web applications, and Microsoft.AspNetCore.Cors makes it easy to implement and manage CORS policies in your ASP.NET Core applications. This article has provided an overview of CORS, its basic configuration, advanced usage, and common troubleshooting tips. With this knowledge, you can confidently develop secure and scalable web applications that support cross-origin resource sharing.