Apache is a popular web server that is commonly used to run websites and blogs. By default, Apache server accepts requests only from pages that belong to the same domain as its server. But sometimes, you may need to configure Apache server to accept requests from pages running on other domains. This is known as cross-domain request or cross-origin resource sharing (CORS). In this article, we will learn how to enable CORS in Apache server.
What is CORS
CORS stands for Cross Origin Resource Sharing. It is a feature that allows web server to accept requests from other domains and send response, in a secure manner. Without enabling this in your server, it will only process requests from pages served on its domain, for security purposes. You can configure CORS for one or more URLs of your site, one or more domains on your server.
When a client browser sends a cross domain request, it will set one or more request headers accordingly. When you enable CORS in your server, then the client browser will read these headers and allow the request to be parsed, if the requesting domain has required permissions. Otherwise, it will automatically block the request.
Why Enable CORS in Apache
By default, all web servers including Apache are configured to serve requests originating from the same domain. For example, if you run mysite.com on Apache, then it will process requests only from those pages of that website. It will not accept requests from other domain such as mysite2.com, even if you run both these websites on same Apache server using virtual hosts.
But sometimes, you may need to serve requests from other domains. For example, if you run an API service, then it needs to process requests from other domains. In such cases, you will need to enable cross origin resource sharing(CORS) on your Apache server.
How to Enable CORS in Apache Server
Now let us look at the different ways to enable CORS in Apache server. It is managed by mod_headers module, which sets the response headers responsible for allowing CORS. First of all, enable it using the following command.
sudo a2enmod headers
Next, you need to add CORS headers to Apache configuration file (e.g. httpd.conf or apache.conf), or .htaccess file. You can add them to <Directory>, <Location>, <Files> or <VirtualHost> tag. There are several common use cases worth considering here.
If you want to allow access from all domains to your server, then add the following code snippet as described above.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
Here, Apache server will first check if mod_headers is enabled. If so, it will set the response header Access-Control-Allow-Origin to * meaning all domains and subdomains.
If you want to allow access from specific domain, add the following code snippet.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "https://example.com"
</IfModule>
Here the server will check the request header’s origin domain and see if it matches the allowed domain.
If you want to allow access from multiple domains but not all domains, then add the following lines.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "https://site1.com"
Header set Access-Control-Allow-Origin "https://site2.com"
Header set Access-Control-Allow-Origin "https://site3.com"
</IfModule>
In this case, the server will check if the request originates from one of the allowed domains or not.
The above codes will allow all kinds of requests from allowed domains. If you want to allow only specific types of requests, then add the following lines. Here is an example to allow only GET, OPTIONS and POST types of requests but block other kinds of requests.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "https://site1.com"
Header set Access-Control-Allow-Methods "GET, POST, OPTIONS"
</IfModule>
Test Apache configuration and restart Apache server to apply changes.
sudo apachectl -t
sudo service apache2 restart
Now, when a client browser from another domain sends a request to your website, your web server will read the request’s origin domain from the request headers. Then it will check if the domain is allowed to make CORS request to your server. If so, then it will send the response headers with Access-Control-Allow-Origin, and other headers. Otherwise, it will simply block the request. When the client browser reads this response, and if it is permitted, then only it will send further CORS requests.
Points to Remember
There are a few things to remember when you enable CORS on your website.
- First of all, allow only as much as is required. It means allow CORS for only required URLs on your website and not all URLS. Also, allow access from only required domains and subdomains and not all. This will restrict the vulnerability of your system and not expose your site unnecessarily.
- It is good to maintain a document about your site URLs and external domains involved in cross origin requests to easily track them.
- If you do not need to allow CORS any more on your site, then disable it at the earliest. Often system administrators continue to allow CORS, even after its use is over. This will keep your system open to requests from other domains.
Conclusion
In this article, we have learnt how to enable CORS in Apache server. We have learnt what CORS is and why it is needed. We have also covered different use cases to enable CORS in Apache server. You can use any of the above mentioned solutions, as per your requirement. Make sure that you allow only required domains and not all, unless necessary. Also, if you do not need to enable CORS anymore, then disable it at the earliest to avoid security breaches.
Also read:
How to Increase Max Connections in Apache
How to Enable GZIP Compression in Apache
How to Upgrade Apache Server in CentOS/RHEL
Sreeram Sreenivasan is the Founder of Ubiq. He has helped many Fortune 500 companies in the areas of BI & software development.