Setting Up Cross-Origin Resource Sharing (CORS) Using .htaccess

Leave a Comment / By / February 20, 2025

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that restricts how resources on a web server can be accessed from different origins. By default, browsers block cross-origin requests due to the Same-Origin Policy (SOP). CORS allows web servers to declare who can access their resources and under what conditions.

Why CORS Is Important

Modern web applications frequently make API requests to different domains, such as fetching data from a remote server. Without CORS, such requests would be blocked. Properly configuring CORS ensures that applications function correctly while maintaining security.

Configuring CORS Using .htaccess

For Apache servers, you can enable CORS using the .htaccess file. This is useful when you don’t have access to the main Apache configuration file.

1. Locate or Create the .htaccess File

    The .htaccess file is typically found in the root directory of your website. If it does not exist, create one.

    2. Add CORS Headers to .htaccess

      Open the .htaccess file and add the following lines:

      <IfModule mod_headers.c>
    Header set Access-Control-Allow-Origin "*"
    Header set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header set Access-Control-Allow-Headers "Content-Type, Authorization"
</IfModule>

      3. Handling Preflight Requests

        For non-simple requests (e.g., PUT, DELETE, or requests with custom headers), browsers send an OPTIONS request before the actual request. Ensure the server responds to these by adding:

        <IfModule mod_headers.c>
    Header always set Access-Control-Allow-Origin "*"
    Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
    Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
</IfModule>

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

        4. Restart Apache Server (If Needed)

          Some hosting providers require restarting the Apache server for changes to take effect. If you have access to the server, restart it with:

          sudo systemctl restart apache2

          5. Testing CORS

            Use curl or browser developer tools to verify that CORS is properly set up:

            curl -H "Origin: http://example.com" --verbose http://yourserver.com/api

            If configured correctly, you should see the Access-Control-Allow-Origin header in the response.

            Best Practices

            • Restrict Origins: Instead of using *, specify allowed origins.
            • Limit Methods: Allow only required HTTP methods.
            • Use Secure Headers: Ensure proper authentication and security measures.

            By properly configuring CORS in .htaccess, you can enable secure cross-origin requests while maintaining control over who can access your resources.

            Leave a Comment

            Your email address will not be published. Required fields are marked *

            Scroll to Top