iis , web-config ,

IIS - Disable CORS

by Abhith Rajan FollowAugust 14, 2019 · 1 min read · Last Updated:
Share this

For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,

  1. Make sure you installed IIS CORS Module on the server.
  2. Update the Web.Config of the website to have the cors section as given below,

Note: code tested on IIS 10

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="*">
            <allowHeaders allowAllRequestedHeaders="true" />
          </add>
        </cors>
    </system.webServer>
</configuration>

As you can see, we are allowing all origin's by specifying * as the origin.

After just allowing all origins alone, if you encounter error like,

Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

To solve that, we are setting allowAllRequestedHeaders="true" in the allowHeaders for all the origins.

Remember: CORS is a security feature. Disable only if the resource is totally public.

Additional Resources

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written by Abhith Rajan FollowBuy me a coffee
Abhith Rajan is an aspiring software engineer with more than 6 years of experience and proven successful track record of delivering technology-based products and services.