Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
49 lines (37 sloc) 1.61 KB
templateKey title description author authorURL date image tags
blog-post
IIS - Disable CORS
Disable CORS for IIS 10 website by allowing all origins in two simple steps.
Abhith Rajan
2019-08-14 16:54:00 UTC
/img/blog/iis-disable-cors.png
iis
web-config

For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,

  1. Make sure you installed IIS CORS Module on the server.
  2. Update the Web.Config of the website to have the cors section as given below,

Note: code tested on IIS 10

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="*">
            <allowHeaders allowAllRequestedHeaders="true" />
          </add>
        </cors>
    </system.webServer>
</configuration>

As you can see, we are allowing all origin's by specifying * as the origin.

After just allowing all origins alone, if you encounter error like,

Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

To solve that, we are setting allowAllRequestedHeaders="true" in the allowHeaders for all the origins.

Remember: CORS is a security feature. Disable only if the resource is totally public.

Additional Resources

You can’t perform that action at this time.