iis | web-config

IIS - Disable CORS

by Abhith RajanAugust 14, 2019 · 1 min read · Last Updated:

For any reason you wish to disable CORS for any website hosted on IIS, one way you can do this by allowing all origins. To do that,

  1. Make sure you installed IIS CORS Module on the server.
  2. Update the Web.Config of the website to have the cors section as given below,

Note: code tested on IIS 10

1<?xml version="1.0" encoding="UTF-8"?>
2<configuration>
3 <system.webServer>
4 <cors enabled="true" failUnlistedOrigins="true">
5 <add origin="*">
6 <allowHeaders allowAllRequestedHeaders="true" />
7 </add>
8 </cors>
9 </system.webServer>
10</configuration>

As you can see, we are allowing all origin’s by specifying * as the origin.

After just allowing all origins alone, if you encounter error like,

Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response.

To solve that, we are setting allowAllRequestedHeaders="true" in the allowHeaders for all the origins.

Remember: CORS is a security feature. Disable only if the resource is totally public.

Additional Resources

Abhith Rajan

Written by Abhith Rajan
Abhith Rajan is an aspiring software engineer with more than 7 years of experience and proven successful track record of delivering technology-based products and services.
Buy me a coffee

Was this article helpful?

Your opinion matters

Please share your thought about this article

This page is open source. Noticed a typo? Or something unclear?
Improve this page on GitHub

Related Posts