iis | web-config

IIS - Disable CORS

Disable CORS for IIS 10 website by allowing all origins in two simple steps.

Abhith Rajan
Abhith RajanAugust 14, 2019 · 1 min read · Last Updated:

For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,

  1. Make sure you installed IIS CORS Module on the server.
  2. Update the Web.Config of the website to have the cors section as given below,

Note: code tested on IIS 10

<?xml version="1.0" encoding="UTF-8"?>
        <cors enabled="true" failUnlistedOrigins="true">
          <add origin="*">
            <allowHeaders allowAllRequestedHeaders="true" />

As you can see, we are allowing all origin’s by specifying * as the origin.

After just allowing all origins alone, if you encounter error like,

Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

To solve that, we are setting allowAllRequestedHeaders="true" in the allowHeaders for all the origins.

Remember: CORS is a security feature. Disable only if the resource is totally public.

Additional Resources

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Abhith Rajan

Written byAbhith Rajan
Abhith Rajan is a software engineer by day and a full-stack developer by night. He's coding for almost a decade now. He codes 🧑‍💻, write ✍️, learn 📖 and advocate 👍.


Is this page helpful?

Related ArticlesView All

Related StoriesView All