# | |
# Wide-open CORS config for nginx | |
# | |
location / { | |
if ($request_method = 'OPTIONS') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
# | |
# Om nom nom cookies | |
# | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
# | |
# Custom headers and headers various browsers *should* be OK with but aren't | |
# | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
# | |
# Tell client that this pre-flight info is valid for 20 days | |
# | |
add_header 'Access-Control-Max-Age' 1728000; | |
add_header 'Content-Type' 'text/plain charset=UTF-8'; | |
add_header 'Content-Length' 0; | |
return 204; | |
} | |
if ($request_method = 'POST') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
} | |
if ($request_method = 'GET') { | |
add_header 'Access-Control-Allow-Origin' '*'; | |
add_header 'Access-Control-Allow-Credentials' 'true'; | |
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS'; | |
add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type'; | |
} | |
} |
This comment has been minimized.
This comment has been minimized.
jaseemabid
commented
Apr 12, 2012
Thanks a lot. This saved my day :) |
This comment has been minimized.
This comment has been minimized.
yishenggudou
commented
Apr 16, 2012
good example for config options |
This comment has been minimized.
This comment has been minimized.
Nek
commented
May 23, 2012
If only I could see this before wasting 5 hours of time... Thanks a lot for saving the rest of my day! :) |
This comment has been minimized.
This comment has been minimized.
mrdevin
commented
Aug 2, 2012
For me I hade to return 204 otherwise the browser would hang and then timeout on the option request:
|
This comment has been minimized.
This comment has been minimized.
Updated with 204 return for OPTIONS (mrdevin) and wildcard '*' for Access-Control-Allow-Origin (epicserve). |
This comment has been minimized.
This comment has been minimized.
alexjs
commented
Nov 28, 2012
I've updated this in https://gist.github.com/4165271 to add a poor man's whitelist. I'm not really sure where having Access-Control-Allow-Origin as wildcard would cause too many issues, but some people may be extra conscious. We use a simple-ish regexp to match valid URLs. Please note that I haven't load tested this, so I don't know what kind of effect it'll have. |
This comment has been minimized.
This comment has been minimized.
remoe
commented
Dec 18, 2012
Thanks for this. I use: add_header "Access-Control-Allow-Origin" $http_origin; |
This comment has been minimized.
This comment has been minimized.
nanonyme
commented
Feb 11, 2013
FWIW HTTP/1.1 RFC says response from OPTIONS is not cacheable. Doesn't that mean a browser must ignore your Access-Control-Max-Age header? |
This comment has been minimized.
This comment has been minimized.
kamoljan
commented
May 30, 2013
Thanks a lot! |
This comment has been minimized.
This comment has been minimized.
andreparames
commented
Oct 22, 2013
From MDN:
I've confirmed that at least Firefox will block a request with cookies if the Access-Control-Allow-Origin is set to '*'. |
This comment has been minimized.
This comment has been minimized.
puppeteer701
commented
Jul 8, 2014
This does not work for me
|
This comment has been minimized.
This comment has been minimized.
Meekohi
commented
Aug 18, 2014
You cannot use a wildcard
|
This comment has been minimized.
This comment has been minimized.
meawoppl
commented
Aug 22, 2014
When starting to use this Chrome will cache the earlier (CORS failed) requests. Reset the cache to get things working! |
This comment has been minimized.
This comment has been minimized.
TimmyCP
commented
Sep 20, 2014
Place this in nginx.conf or server blocks? |
This comment has been minimized.
This comment has been minimized.
aronwoost
commented
Jun 26, 2015
As stated in the docs So save the two hours I just wasted and add |
This comment has been minimized.
This comment has been minimized.
brupm
commented
Jul 1, 2015
By adding this CORS block to my nginx config I now see my initial OPTIONS request followed by an identical GET request (incorrect duplicate) - Any idea what could be causing this? https://gist.github.com/brupm/1b2c69cbf8f9612ee304 I suspect it's the |
This comment has been minimized.
This comment has been minimized.
niksmac
commented
Aug 18, 2015
There is a better page http://enable-cors.org/server.html |
This comment has been minimized.
This comment has been minimized.
GromNaN
commented
Dec 11, 2015
If you use a cache server, you must add a
|
This comment has been minimized.
This comment has been minimized.
yinyanfr
commented
Feb 3, 2016
where do i put them? |
This comment has been minimized.
This comment has been minimized.
hasangilak
commented
May 11, 2016
for anybody on ubuntu first install turn all add_header into more_set_headers |
This comment has been minimized.
This comment has been minimized.
rowen17
commented
May 17, 2016
•
On So instead of
Use
|
This comment has been minimized.
This comment has been minimized.
maxim25
commented
Jun 2, 2016
•
When I add
I get: Any idea? |
This comment has been minimized.
This comment has been minimized.
Skydev0h
commented
Jun 5, 2016
•
@maxim25, Are you sure that your nginx is 1.7.5 or newer? |
This comment has been minimized.
This comment has been minimized.
marianacristina666
commented
Sep 2, 2016
If 'Access-Control-Allow-Credentials' is set "TRUE" |
This comment has been minimized.
This comment has been minimized.
loustler
commented
Sep 5, 2016
Thanks. |
This comment has been minimized.
This comment has been minimized.
tomleader
commented
Oct 12, 2016
Line 28 add_header 'Content-Type' 'text/plain charset=UTF-8'; It seems the semicolon is missing, maybe ' text/plain; charset=UTF-8' is more standard |
This comment has been minimized.
This comment has been minimized.
Cervenka
commented
Oct 18, 2016
•
In case you want to use the wildcard origin where possible but also allow credentials if the origin was sent along use following:
|
This comment has been minimized.
This comment has been minimized.
x2es
commented
Oct 24, 2016
why do you specify content-type related headers if no body for 204 response? |
This comment has been minimized.
This comment has been minimized.
gansbrest
commented
Apr 17, 2017
Here is shorter version of access control allow origin for Nginx that should get you started. |
This comment has been minimized.
This comment has been minimized.
GraniteConsultingReviews
commented
Sep 1, 2017
I having problem in this code This giving me error. |
This comment has been minimized.
This comment has been minimized.
defaultwp
commented
Nov 4, 2017
•
I have put this code in location inside /site-enabled/ but its still giving error on http://defaultwallpaper.com Please help. |
This comment has been minimized.
This comment has been minimized.
hasangilak
commented
May 5, 2018
syntax error. missing closing ' in checking OPTIONS. 'Content-Length should be 'Content-Length' |
This comment has been minimized.
This comment has been minimized.
hasantayyar
commented
Jun 14, 2018
Thanks for the snippet but |
This comment has been minimized.
This comment has been minimized.
nikitasius
commented
Jan 30, 2019
set $cors_origin "https://your.domain";
if ($http_origin ~* ^(https?://[\w\.\-]+(:\d+)?)/?.*?$ ) {
set $cors_origin $1;
}
add_header Access-Control-Allow-Origin $cors_origin always;
add_header Access-Control-Allow-Credentials true;
add_header Access-Control-Allow-Methods 'GET, POST, PUT, DELETE, OPTIONS' always;
add_header Access-Control-Allow-Headers 'Accept,Authorization,Cache-Control,Content-Type,DNT,If-Modified-Since,Keep-Alive,Origin,User-Agent,X-Requested-With' always;
|
This comment has been minimized.
epicserve commentedFeb 27, 2012
This doesn't seem to work for me ... I'm uisng nginx/1.0.5. For testing I replaced http://10.140.10.40 with *.