iis | web-config

IIS - Disable CORS

Disable CORS for IIS 10 website by allowing all origins in two simple steps.

Abhith Rajan
Abhith RajanAugust 14, 2019 · 1 min read · Last Updated:
IIS - Disable CORS

For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,

  1. Make sure you installed IIS CORS Module on the server.
  2. Update the Web.Config of the website to have the cors section as given below,

Note: code tested on IIS 10

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="*">
            <allowHeaders allowAllRequestedHeaders="true" />
          </add>
        </cors>
    </system.webServer>
</configuration>

As you can see, we are allowing all origin’s by specifying * as the origin.

After just allowing all origins alone, if you encounter error like,

Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

To solve that, we are setting allowAllRequestedHeaders="true" in the allowHeaders for all the origins.

Remember: CORS is a security feature. Disable only if the resource is totally public.

Additional Resources

iisweb-config

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.
Connect

Webmentions

Is this page helpful?

Buy me a coffee

Related ArticlesView All

Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway
Azure - Configuring End-to-End SSL for IIS Website by using Application Gateway
September 24, 2019 · 3 min read

This article brief about the steps involved in making an end to end HTTPS website which hosted in a VM IIS, in Azure and the traffic need to be routed via Application Gateway.

abhith rajan
by Abhith Rajan
azureiisazure-application-gateway
C# - Get Web.Config Connection String in a Class Library
C# - Get Web.Config Connection String in a Class Library
September 15, 2019 · 1 min read

If you can, pass the connection string as a parameter to the class library. Second option is System.Configuration.ConfigurationManager

abhith rajan
by Abhith Rajan
aspnetc-sharpweb-config
Azure Web App - Missing MIME types
Azure Web App - Missing MIME types
July 11, 2019 · 2 min read

If you are seeing "404 Not Found" for .woff, .woff2 or for .json files even if they exist on your azure web app, this is the post for you.

abhith rajan
by Abhith Rajan
azureweb-config
IIS - OPTIONS Requests Returns 404
IIS - OPTIONS Requests Returns 404
April 19, 2018 · 2 min read

If OPTIONS preflight request getting 404 and URLScan enabled on your hosting machine, check out this article.

abhith rajan
by Abhith Rajan
iisaspnet
IP Security - Configure IP address restrictions in Web.Config on IIS
IP Security - Configure IP address restrictions in Web.Config on IIS
January 09, 2018 · 1 min read

Restrict access to your website using IIS IP security

abhith rajan
by Abhith Rajan
iissecurityaspnet
Hunting security bugs in an old web application
Hunting security bugs in an old web application
October 09, 2017 · 4 min read

In this post, I am sharing one of my security bug hunting experience in an older ASP.NET web form project.

abhith rajan
by Abhith Rajan
aspnet-web-formssecurityweb-config

Related StoriesView All

ASP.NET Core
Four Reasons Why Your ASP.NET Core Application is Not Working in IIS
roundthecode.com · Sep 16, 2020

ASP.NET Core Application Not Working in IIS? We fix Interval Server Errors 500.19 & 500.21, plus 500.30 ANCM In-Process Start Failure

aspnet-coreiis
Web.config
Web.config transformations - The definitive syntax guide
blog.elmah.io · Jul 01, 2019

The best tutorial for web.config/app.config transformations. Learn the syntax and how to test it. Included are also examples like replacing appSettings.

web-config