Last updated on December 14th, 2021 at 03:56 am
Cross Origin Resource Sharing (CORS) allows your web server to accept and serve requests from other domains. By default, CORS is disabled in Apache. You need to set Access-Control-Allow-Origin Header to enable CORS in Apache. Here’s how to set Access-Control-Allow-Origin header in Apache.
How to Set Access-Control-Allow-Origin (CORS) Headers in Apache
Here are the steps to set Access-Control-Allow-Origin header in Apache.
1. Enable headers module
You need to enable headers module to enable CORS in Apache.
Ubuntu/Debian
In ubuntu/debian linux, open terminal & run the following command to enable headers module.
$ sudo a2enmod headers
CentOS/Redhat/Fedora
In CentOS/Redhat/Fedora linux, open the Apache configuration file httpd.conf and uncomment the following line by removing # in front of them.
LoadModule headers_module modules/mod_headers.so
2. Open Apache Configuration File
You can enable CORS in Apache by modifying Apache Server configuration file, or .htaccess file.
Using Apache Server Configuration File
If you have access to Apache server configuration file, open it in a text editor. Apache configuration file is located at any of the following locations, depending on your installation
/etc/apache2/httpd.conf/etc/apache2/apache2.conf/etc/httpd/httpd.conf/etc/httpd/conf/httpd.conf
$ sudo vi /etc/apache2/httpd.conf
Using .htaccess file
If you don’t have access to Apache server configuration file, open .htaccess file in a text editor.
$ sudo vi /var/www/html/.htaccess
Bonus Read : How to Install Apache mod_security in Ubuntu
3. Enable CORS in Apache
To set Access-Control-Allow-Origin header in Apache, just add the following line inside either the <Directory>, <Location>, <Files> or <VirtualHost> sections of your file.
Header set Access-Control-Allow-Origin "*"
The above line will allow Apache to accept requests from all other domains. If you only want to accept CORS requests from specific domain (example.com), then use that domain instead of using * above.
Header set Access-Control-Allow-Origin "example.com"
Let us look at some of the use cases to allow CORS requests.
Directory Tag in Main Configuration File
In this case, the CORS requests will be allowed only to the specified folder & its subfolders on your website, and not all folders. Since we have added the configuration for root folder /var/www/html, it will be applicable to the entire website.
<Directory /var/www/html> ... Header set Access-Control-Allow-Origin "*" ... </Directory>
Here is an example to allow CORS only for folder /projects.
<Directory /var/www/html> ... Header set Access-Control-Allow-Origin "*" ... </Directory>
Anywhere in .htaccess file
In this case, the CORS requests will be allowed only for the domain whose .htaccess file you have modified.
... Header add Access-Control-Allow-Origin "*" ...
VirtualHost Tag in Virtual Host Configuration File
In this case, the CORS requests will be allowed only for virtual host whose configuration file you have updated.
<VirtualHost *:443> ... Header add Access-Control-Allow-Origin "*" ... </VirtualHost>
Bonus Read : How to Enable TLS 1.3 in Apache
There are different configurations available to enable CORS in Apache.
Enable CORS from all websites
If you want to enable CORS for all websites, that is, accept cross domain requests from all websites, add the following
Header add Access-Control-Allow-Origin *;
In the above statement, we use wildcard (*) for Apache Access-Control-Allow-Origin directive
Enable CORS from one domain
If you want to enable CORS for one website domain (e.g example.com), specify that domain in place of wildcard character *.
Header add Access-Control-Allow-Origin "example.com";
Enable CORS from multiple domains & subdomains
If you want to enable CORS for multiple domains (e.g example1.com, example2.com,example3.com and subdomain blog.example4.com), specify them separately one after another
Header add Access-Control-Allow-Origin "example1.com"; Header add Access-Control-Allow-Origin "example2.com"; Header add Access-Control-Allow-Origin "example3.com"; Header add Access-Control-Allow-Origin "blog.example4.com";
Enable CORS from localhost
If you want to enable CORS from localhost, add 127.0.0.1 or localhost in place of domain name
Header add Access-Control-Allow-Origin "localhost";
Bonus Read : How to Generate CSR for SSL Certificate in Linux
4. Test Apache Configuration
Test Apache configuration to ensure that there are no errors.
$ sudo apachectl -t
Bonus Read : How to Install SSL Certificate on Apache Windows
5. Restart Apache Server
If you see no errors in previous steps, restart Apache web server
$ sudo systemctl restart apache2
Now your Apache web server will automatically server requests from other domains.
Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.