CORS¶

Objective:

Enable CORS with NGINX

Why:

Cross-Origin Resource Sharing (CORS) is a W3C standard to flexibly specify what cross-domain requests are permitted. By delivering appropriate CORS Headers your REST API signals to the browser which domains, AKA origins, are allowed to make JavaScript calls to the REST service.

Disable CORS headers if cross-domain calls are not supported/expected.
Be as specific as possible and as general as necessary when setting the origins of cross-domain calls.

How:

Cross-origin resource sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served.

A web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos. Certain “cross-domain” requests, notably Ajax requests, are forbidden by default by the same-origin security policy. CORS defines a way in which a browser and server can interact to determine whether it is safe to allow the cross-origin request. It allows for more freedom and functionality than purely same-origin requests, but is more secure than simply allowing all cross-origin requests.

The specification for CORS is included as part of the WHATWGs Fetch Living Standard. This specification describes how CORS is currently implemented in browsers. An earlier specification was published as a W3C Recommendation.

Source: https://en.wikipedia.org/wiki/Cross-origin_resource_sharing

Note

Most proxy pass solutions require a Host header to be added since NGINX defaults to passing the original Host header.

Example Documentation:

https://enable-cors.org/server_nginx.html

NGINX Documentation:

http://nginx.org/en/docs/http/ngx_http_headers_module.html

Previous Next