Many types of content and behaviors are required to render a rich webpage, from images and stylesheets, to scripts. Some of that content might be data or AJAX requests that have the ability to pull down additional payload to the browser. To prevent such requests from getting maliciously hijacked along the way, the CORS recommendation was incorporated into the recommended standards by the W3C (World Wide Web Consortium) to help establish trust between the client and the server

For this to work, a browser making a request via AJAX to any domain other than the origin of the webpage itself, must present an Origin header. The server, in kind, needs to respond with an Access-Control-Allow-Origin header to signal that it expects requests from that domain. If it fails to respond with the expected values or header, the browser prevents the script that is requesting the resource from accessing the response returned by the server. While it doesn’t protect the client in the event of a security breach on the server side, it does help eliminate much of the risk of cross-site scripting vulnerabilities.

When you intend to open an API to a website that does not originate from the same origin, you need to enable CORS in your application. You can say that two requests share the same origin if they both operate on the same domain, the same port, and the same scheme, HTTP or HTTPs. When enabling CORS, it is wise to enable it where you can modify or invalidate particular origins on the fly. An example of this is where you have an API that is consumed by third-parties who pay to access your API.

To enable CORS support in your application, you must first add the Microsoft.AspNetCore.Cors package to your project.json. Next, you need to add a CORS policy to the service container in your application in Startup.cs via the CorsPolicyBuilder:

public void ConfigureServices(IServiceCollection services)
      // other service config
      services.AddCors(options =>
         builder => builder.WithOrigins(""));
     // ...

The call to AddPolicy() allows you to both name and build the policy you want. You can then wire the CORS middleware into the application ahead of the call to UseMvc() in the Configure method of Startup.cs:


The breadth of this policy might be too wide for your entire API, so you can actually omit the call to UseCors() altogether, and instead, opt to use an attribute-based approach at the controller level.

[EnableCors("MyApiPolicy ")]
public class SkiPassValidationApiController : Controller
       // ...

This approach gives you a more granular approach to enabling CORS for specific aspects of your API. You can also use EnableCors at the action level, or if you want to disable CORS for an action that would otherwise be included in the policy, globally or at the controller level, you can apply the DisableCors attribute.


Share Button

Leave a Reply

Your email address will not be published. Required fields are marked *

Post Navigation