PROWAREtech

articles » current » asp-net-core » enable-cors

ASP.NET Core: Enable CORS

Enable Cross Origin Resource Sharing (CORS) on an ASP.NET Core Web / REST API or MVC Website; written in C#.

This article requires ASP.NET Core.

It is very easy to enable CORS on an existing or new ASP.NET Core MVC or RESTful API project. See this quick guide if not familiar with what a REST API is.

First, modify Startup.cs as follows.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;

namespace EnableCorsForApi
{
    public class Startup
    {
        public Startup(IConfiguration configuration)
        {
            Configuration = configuration;
        }

        public IConfiguration Configuration { get; }

        // This method gets called by the runtime. Use this method to add services to the container.
        public void ConfigureServices(IServiceCollection services)
        {


            // ################ THIS IS NEWLY ADDED ################
            services.AddCors(options =>
            {
                options.AddPolicy("WeatherForecastCorsPolicy", builder => // NOTE THE NAME OF THE POLICY HERE; IT IS POSSIBLE TO HAVE MORE THAN ONE POLICY
                {
                    builder.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader();
                });
            });


            services.AddControllers();
        }

        // This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
        public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
        {
            if (env.IsDevelopment())
            {
                app.UseDeveloperExceptionPage();
            }

            app.UseRouting();


            app.UseCors(); // ################ THIS IS NEWLY ADDED ################


            app.UseAuthorization();

            app.UseEndpoints(endpoints =>
            {
                endpoints.MapControllers();
            });
        }
    }
}

Now, modify the controller action method that access should be granted to.

// WeatherForecastController.cs
using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Cors;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;

namespace EnableCorsForApi.Controllers
{
    [ApiController]
    [Route("[controller]")]
    public class WeatherForecastController : ControllerBase
    {
        private static readonly string[] Summaries = new[]
        {
            "Freezing", "Bracing", "Chilly", "Cool", "Mild", "Warm", "Balmy", "Hot", "Sweltering", "Scorching"
        };

        private readonly ILogger<WeatherForecastController> _logger;

        public WeatherForecastController(ILogger<WeatherForecastController> logger)
        {
            _logger = logger;
        }

        [HttpGet]

        // USE THE POLICY NAME THAT WAS USED IN Startup.cs
        [EnableCors("WeatherForecastCorsPolicy")] // ################ THIS IS NEWLY ADDED ################

        public IEnumerable<WeatherForecast> Get()
        {
            var rng = new Random();
            return Enumerable.Range(1, 5).Select(index => new WeatherForecast
            {
                Date = DateTime.Now.AddDays(index),
                TemperatureC = rng.Next(-20, 55),
                Summary = Summaries[rng.Next(Summaries.Length)]
            });
        }
    }
}

Limiting Origins and Methods

The following Startup.cs file shows how to limit origins and methods. Do not forget to update the controller and/or controller action methods.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Threading.Tasks;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging;

namespace EnableCorsForApi
{
	public class Startup
	{
		public Startup(IConfiguration configuration)
		{
			Configuration = configuration;
		}

		public IConfiguration Configuration { get; }

		// This method gets called by the runtime. Use this method to add services to the container.
		public void ConfigureServices(IServiceCollection services)
		{
			services.AddCors(options =>
			{
				options.AddPolicy("CorsPolicy1",
					builder =>
					{
						builder.WithOrigins("http://domain.com", "http://*.anotherdomain.com").AllowAnyHeader().AllowAnyMethod();
					});

				options.AddPolicy("CorsPolicy2",
					builder =>
					{
						builder.WithOrigins("http://www.example.com").AllowAnyHeader().WithMethods("POST","GET","PUT","DELETE");
					});
			});

			services.AddControllers();
		}

		// This method gets called by the runtime. Use this method to configure the HTTP request pipeline.
		public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
		{
			if (env.IsDevelopment())
			{
				app.UseDeveloperExceptionPage();
			}

			app.UseRouting();


			app.UseCors(); // DON'T FORGET THIS LINE


			app.UseAuthorization();

			app.UseEndpoints(endpoints =>
			{
				endpoints.MapControllers();
			});
		}
	}
}

Testing the Endpoint

Run the server and try accessing the method(s) that have CORS enabled. The following code can be used to access an API endpoint.

<!DOCTYPE html>
<html>
<head>
    <meta charset="utf-8" />
    <title>JSON-MAN</title>
    <style>
        * {
            font-family: sans-serif;
            font-size: 30px;
            color: blue;
        }

        body {
            padding: 3%;
        }

        input, table, td:last-of-type {
            width: 100%;
        }

        textarea {
            width: 100%;
            height: 300px;
        }
    </style>
    <script type="text/javascript">
/*
request = {
	verb: "GET POST PUT PATCH DELETE",
	path: "/api/",
	headers: {"header1":"value1","header2":"value2"},
	data: "{'is':'json'}",
	onprogress: function(percent){}
};
*/
function ajax2(request) {
	var obj = "object";
	if (typeof request != obj) { request = {}; }
	var undef = "undefined";
	var canPromise = (typeof Promise != undef);
	var xmlobj;
	if (typeof XMLHttpRequest != undef) {
		xmlobj = new XMLHttpRequest();
	}
	else if (typeof window.ActiveXObject != undef) {
		var aVersions = ["MSXML2.XMLHttp.5.0", "MSXML2.XMLHttp.4.0", "MSXML2.XMLHttp.3.0", "MSXML2.XMLHttp", "Microsoft.XMLHttp"];
		for (var i = 0; i < aVersions.length; i++) {
			try {
				xmlobj = new ActiveXObject(aVersions[i]);
				break;
			} catch (err) {
				//void
			}
		}
	}
	if (typeof xmlobj != obj) {
		return {then:function(){return{catch:function(ca){ca("XMLHttpRequest object could not be created");}}}};
	}
	if(typeof request.onprogress == "function" && typeof xmlobj.upload == obj) {
		xmlobj.upload.addEventListener("progress", function (event) {
			request.onprogress(Math.floor(event.loaded / event.total * 100));
		});
	}
	// if no verb is specified then use "get"; if no path is specified then use the current file
	xmlobj.open(request.verb || "get", request.path || location.pathname, canPromise);
	xmlobj.setRequestHeader("Content-Type", "application/json; charset=UTF-8");
	if(typeof request.headers == obj) {
		for(var prop in request.headers) {
			xmlobj.setRequestHeader(prop, request.headers[prop]);
		}
	}
	xmlobj.send(request.data || null);
	if(canPromise) {
		return new Promise(function (resolve, reject) {
			xmlobj.onreadystatechange = function () {
				if (xmlobj.readyState == 4) {
					if (xmlobj.status >= 200 && xmlobj.status < 300) {
						resolve(xmlobj.responseText);
					}
					else {
						reject(xmlobj.responseText);
					}
				}
			};
		});
	}
	else {
		if (xmlobj.status >= 200 && xmlobj.status < 300) {
			return {then:function(th){th(xmlobj.responseText);return{catch:function(){}}}};
		}
		else {
			return {then:function(){return{catch:function(ca){ca(xmlobj.responseText);}}}};
		}
	}
}
var headersobj = null;
function setHeadersColor(input) {
	try {
		headersobj = JSON.parse(input.value);
		if (Array.isArray(headersobj)) {
			headersobj = null;
			input.style.color = "red";
		}
		else {
			input.style.color = "#0b0";
		}
	}
	catch {
		headersobj = null;
		input.style.color = "red";
	}
}
function setBodyColor(input) {
	try {
		JSON.parse(input.value);
		input.style.color = "#0b0";
	}
	catch {
		input.style.color = "red";
	}
}
function submitRequestForm(form) {
	ajax2({
		verb: form.requestmethod.value,
		path: form.endpoint.value,
		headers: headersobj,
		data: form.requestbody.value
	}).then(function (txt) {
		form.responsebody.value = txt;
		return false;
	}).catch(function (err) {
		alert("ERROR");
		form.reset();
		return false;
	});
	return false;
}
    </script>
</head>
<body>
    <h1>JSON-MAN</h1>
    <form method="get" action="" onsubmit="return submitRequestForm(this);">
        <div>
            <table><tr><td><select name="requestmethod"><option>GET</option><option>POST</option><option>PUT</option><option>PATCH</option><option>DELETE</option></select></td><td><input type="text" name="endpoint" placeholder="ENDPOINT" /></td></tr></table>
        </div>
        <div>
            <input type="text" name="headers" placeholder='HEADERS EXAMPLE: {"header1":"value1","header2":"value2"}' onchange="setHeadersColor(this);" onkeyup="setHeadersColor(this);" autocomplete="off" />
        </div>
        <div>
            <textarea name="requestbody" placeholder="REQUEST BODY" onchange="setBodyColor(this);" onkeyup="setBodyColor(this);"></textarea>
        </div>
        <div>
            <textarea name="responsebody" placeholder="RESPONSE BODY" readonly></textarea>
        </div>
        <div>
            <button type="submit">submit</button>
        </div>
    </form>
</body>
</html>

Coding Video

https://youtu.be/n4gnX54BHlQ

kestrel
ASP.NET Core: About

ASP.NET Core is built on top of .NET but also runs on top of .NET Framework.
ASP.NET Core: Add JWT Authentication to MVC

Setup and add JSON Web Token (JWT) bearer authentication to Model-View-Controller application; with examples written in C#.
ASP.NET Core: Add Local Authentication

Setup and add local authentication user accounts; written in C#.
ASP.NET Core: Add REST API to MVC Application

Setup or add ASP.NET Core REST API or Web API controller to MVC website application; written in C#.
ASP.NET Core: Bitmap Image Creation and Download

Create a Bitmap Image from within the MVC controller and send it to the browser; written in C# and compatible with Linux and Windows servers.
ASP.NET Core: Call an External Function Using DllImport in C#

How to correctly use DllImport to call external functions in libraries on both windows (.dll files) and Linux (.so libraries) on a web server.
ASP.NET Core: Compress REST API Output

Compress the output from a Web API to a greater level than if enabling site-wide compression; written in C#.
ASP.NET Core: Create and Use MS SQL Database

Use MS SQL Server to programmatically create a database with Entity Framework; written in C#.
ASP.NET Core: Delete a FileResult File After Sending It to the Browser Using FileStream

FileStream saves server memory and resources when sending a file to the browser, but what if the file needs to be deleted? This article shows how to delete the file after sending it; written in C#.
ASP.NET Core: Download Files

How to download files from an ASP.NET Core Web Application (MVC); written in C#.
ASP.NET Core: Download from URL with WebClient

Download file from an Internet URL/URI using the WebClient class; written in C#.
ASP.NET Core: Drag-and-Drop File Upload

Drag-n-drop file upload using AJAX; no JQuery was used; server-side code written in C#.
ASP.NET Core: Enable CORS

Enable Cross Origin Resource Sharing (CORS) on an ASP.NET Core Web / REST API or MVC Website; written in C#.
ASP.NET Core: Enable Output Compression

How to enable site-wide compression for HTTP and HTTPS; written in C#.
ASP.NET Core: Enable Server Sessions

Enable server sessions to securely store user information related to the session; written in C#.
ASP.NET Core: Globally Unique Identifiers

The GUID is great for anything requiring uniqueness; written in C# and VB.NET.
ASP.NET Core: Handle "View Was Not Found" Server Error

How to handle view not found server errors and return a status code 404 - not found; written in C#.
ASP.NET Core: Hash-based Message Authentication Code

Safely store user passwords or validate a file to check for corruption; written in C#.
ASP.NET Core: How to Create WordPress Slugs

Use C# regular expressions (Regex) to create slugs with only standard characters for use in a URL or other purpose.
ASP.NET Core: How to Issue a GET Request from an Endpoint using C#

Using C#, GET JSON from a REST API endpoint; how to receive JSON data from a REST API.
ASP.NET Core: How to Issue a POST Request to an Endpoint using C#

Using C#, POST JSON to a REST API endpoint; how to receive JSON data from a REST API.
ASP.NET Core: Image Utility Class for SixLabors.ImageSharp v1.0

Manipulate images on Windows and Linux web servers including creating a scatter plot and histogram, and rotating the images as needed to display properly with asp.net core web application example written in C#.
ASP.NET Core: Image Utility Class for SixLabors.ImageSharp v3.0

Manipulate images on Windows and Linux web servers including creating a scatter plot and histogram, and rotating the images as needed to display properly with asp.net core web application example written in C#.
ASP.NET Core: Image Utility for Windows Servers

Manipulate images using System.Drawing.Common (not compatible with Linux); written in C#.
ASP.NET Core: Json Web Token Authentication Minimal Web API Example

A simple example of adding JWT Bearer authentication and authorization to an ASP.NET Core minimal Web API; with examples written in C#.
ASP.NET Core: New ZipFile Stream Options in .NET 8

Covers the new streaming options in the .NET 8 ZipFile class; written in C#.
ASP.NET Core: Send Gmail from Web App

Send Gmail from a web application using C#.
ASP.NET Core: Simple File Upload

Simple file upload using Asynchronous JavaScript and XML (AJAX); server-side code written in C#.
ASP.NET Core: Sort a List of Objects with a Delegate Function

How to use a delegate to sort a C# List Holding Objects Instead of Primitive Types.
ASP.NET Core: Tips and Tricks

Useful tips and tricks for the budding ASP.NET Core developer.
ASP.NET Core: Use Keys Stored in appsettings.json in .NET 6 and Later

Modify and use appsettings.json keys in ASP.NET Core for custom settings; also, create and use custom JSON files for use in C# web apps.
This site uses cookies. Cookies are simple text files stored on the user's computer. They are used for adding features and security to this site. Read the privacy policy.
CLOSE