Sometimes when you want to enable access to your website files like XML from another website, you would have to enable CORS (Cross Origin Resource Sharing) using IIS, so in this post, I have provided methods to enable CORS in IIS.

Using IIS Manager

  1. Open IIS manager on your server or on your local PC.
  2. Navigate to the website you need to edit the response headers for.
  3. From the list or Icons related to the site you are editing, select "HTTP Response Headers" from the middle-pane, as shown in the image below
    enable-cors-using-iis-manager-min.png
  4. Double click "HTTP Repsonse Header"
  5. Now, click "Add" from right hand side pane
  6. A dialog box will open. For name enter "Access-Control-Allow-Origin" and for Value enter an asterisk ( * ).
    access-control-cors-enable-iis-min.png
  7. Click Ok, you are done.

This should enable CORS, using above steps you can add custom header from IIS for a particular website.

Using Web.Config

You can simply enable Cors by adding configuration in your asp.net website's web.config file, here is the configuration

<system.webServer>
    <httpProtocol>
        <customHeaders>
            <add name="Access-Control-Allow-Origin" value="*" />
            <add name="Access-Control-Allow-Methods" value="GET,POST,OPTIONS" />
            <add name="Access-Control-Allow-Headers" value="Content-Type, soapaction" />
        </customHeaders>
    </httpProtocol>
</system.webServer>

Using C#

You can add the below code in your Global.asax file

 protected void Application_BeginRequest(object sender,EventArgs e)
    {
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

        if(HttpContext.Current.Request.HttpMethod == "OPTIONS")
        {
            //These headers are handling the "pre-flight" OPTIONS call sent by the browser
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
            HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
            HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000" );
            HttpContext.Current.Response.End();
        }

    }

Enabling CORS in Web-API

In Visual Studio, from the Tools menu, select NuGet Package Manager, then select Package Manager Console. In the Package Manager Console window, type the following command:

Install-Package Microsoft.AspNet.WebApi.Cors

Once the above Package is installed, open the file App_Start/WebApiConfig.cs. Add the following code to the WebApiConfig.Register method:

    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {
            //add to enable cors
            config.EnableCors(cors);
           

            //old code, route config etc.
        }
    }

Once done, you can add "[EnableCORS]" attribute above Web-API Controller or Method, for example

using System.Web.Http.Cors; //add namespace

namespace WebService.Controllers
{
    [EnableCors(origins: "http://example.com", headers: "*", methods: "*")]
    public class SampleController : ApiController
    {
        // your API Controller code here
    }
}

Note: If the above method doesn't wor for your API, try to enable CORS globally using the code below in WebApiConfig.cs

    public static class WebApiConfig
    {
        public static void Register(HttpConfiguration config)
        {    
           //enable cors globally
            var cors = new EnableCorsAttribute("www.example.com", "*", "*");
            config.EnableCors(cors);
        }
    }

This will enable Cors Globally, you can ignore "EnableCors" attribute now.

Using IIS CORS Module

The IIS CORS module is configured via the <cors> element as part of the <system.webServer> section. The section can be configured at the server, site, or application level.

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <cors enabled="true">
      <add origin="*" />
    </cors>
  </system.webServer>
</configuration>

In this simplest example, the CORS module module will allow requests from all origins. All other settings like what are the permissible methods and and headers are keyed of the origin. Let's look at another example on how you might use that.

<?xml version="1.0"?>
<configuration>
  <system.webServer>
    <cors enabled="true">
      <add origin="https://example.com">
        <allowMethods>
            <add method="GET" />
            <add method="HEAD" />
        </allowMethods>
      </add>
      <add origin="https://readwriteservice.example.com">
        <allowMethods>
            <add method="GET" />
            <add method="HEAD" />
            <add method="POST" />
            <add method="PUT" /> 
            <add method="DELETE" />         
        </allowMethods>
      </add>
    </cors>
  </system.webServer>
</configuration>

You may also like to read:

How to enable caching in IIS