http-header : access-control-allow-origin

http-header : access-control-allow-origin

This is a response header that indicates whether or not the response that is received can be shared with resources with the given origin. The directive, “origin” indicates to a specific uri which might access the resource. And, so browser should enforce it. For such requests that don’t have credentials, the server might specify wildcard (like “*”), that would thereby allow any origin so as to access that resource.

This header is said to be a Cross-Origin Resource Sharing (abbreviated as CORS) header. For example, when a website “A” tries to access or fetch the content from another site “B” then “B” can send the header (under consideration) so as to tell the browser that content of this very page is accessible to some of the origins. So to say, by default, website B’s pages are not to be accessible to any of the other origins, but the use of this header opens up a door for cross-origin access to happen by very specific requesting origins. For every page or resource that “B” wants “A” to access, “B” must serve its pages with the help of the response header:


This header modifies the protection that is offered to end user based on how the “Same Origin Policy” duly handles the AJAX responses. If say, a user is actually willing to just mess around with the host files so as to modify this protection even more on their own, then only thing that they are compromising is nothing but their own security.

Enablement in Apache:

A file that is, “.htaccess” is created in the directory of our files and the following syntax is added to the file.

Header set Access-Control-Allow-Origin “http://localhost:50000/” (site within “” is an example)

Or; Header Set Access-Control-Allow-Origin “*”

Enablement in Nginx:

The below syntax is added to the nginx configuration file.

add_header “Access-Control-Allow-Origin”  *;  (* refers to the wide open configuration that indicates that any of the client would be able to access the resource)

Or, specific hostnames can be listed which are allowed to access server:

add_header “Access-Control-Allow-Origin” “,”

Enablement in IIS:

  • Internet Information Service (IIS) Manager is opened.
  • The site for which we want to enable CORS is right-clicked and moved to “Properties”.
  • Then we change to “HTTP Headers” tab.
  • In “Custom HTTP headers” section, “Add” is clicked.
  • Access-Control-Allow-Origin is typed in as header name
  • “*” is typed in as header value.
  • Then Ok is clicked twice.


Copyrights ©2008: Valency Networks Pvt Ltd.