I have set up our public facing website with the header Access-Control-Allow-Origin: * so that we can use JSON and AJAX. However, what I really want to do is limit it to only certain servers. The requests should only ever come from a few servers that we control. I am having trouble finding something works without adding in code (example psuedo-code):
for each domain in myDomains
addheader Access-Control-Allow-Origin: domain
next
Is it possible to just add multiple "Access-Control-Allow-Origin" in IIS under the HTTP Headers tab? I know that it is possible to actually add it to IIS, but does it work?
Example:
Access-Control-Allow-Origin: http://domain1
Access-Control-Allow-Origin: http://domain2
Access-Control-Allow-Origin: http://127.0.0.1 (use using home as IP example)
Using Access-Control-Allow-Origin: * is just to insecure.
Since the header is currently set to allow access only from https://yoursite.com , the browser will block access to the resource and you will see an error in your console. Now, to fix this, change the headers to this: res. setHeader("Access-Control-Allow-Origin", "*");
Access-Control-Allow-Origin: * is totally safe to add to any resource, unless that resource contains private data protected by something other than standard credentials. Standard credentials are cookies, HTTP basic auth, and TLS client certificates.
More than one Access-Control-Allow-Origin header was sent by the server. This isn't allowed.
This is a security feature for avoiding everyone freely accessing any resources of that domain (which can be accessed for example to have an exact same copy of your website on a pirate domain). The header of the response, even if it's 200OK do not allow other origins (domains, port) to access the resources.
No, multiple Access-Control-Allow-Origin
headers are not allowed. You can only have one Access-Control-Allow-Origin
response header, and that header can only have one origin value or *
(e.g. you can't have multiple space-separated origins).
Your best option is to read the incoming Origin header, check its value against a whitelist, and only emit the Access-Control-Allow-Origin
header if the Origin is allowed. Here's an example in pseudo-code:
origin = request.getHeader('Origin');
for each domain in myDomains
if (domain == origin)
// Add header if the origin is whitelisted
addheader Access-Control-Allow-Origin: domain
return
// Otherwise exit the for loop without adding any headers.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With