set access-control-allow-origin

How to Set Access-Control-Allow-Origin (CORS) Headers in Apache

Cross Origin Resource Sharing (CORS) allows your web server to accept and serve requests from other domains. By default, CORS is disabled in Apache. You need to set Access-Control-Allow-Origin Header to enable CORS in Apache. Here’s how to set Access-Control-Allow-Origin header in Apache.

How to Set Access-Control-Allow-Origin (CORS) Headers in Apache

Here are the steps to set Access-Control-Allow-Origin header in Apache.

1. Enable headers module

You need to enable headers module to enable CORS in Apache.

Ubuntu/Debian

In ubuntu/debian linux, open terminal & run the following command to enable headers module.

$ sudo a2enmod headers

CentOS/Redhat/Fedora

In CentOS/Redhat/Fedora linux, open the Apache configuration file httpd.conf and uncomment the following line by removing # in front of them.

LoadModule headers_module modules/mod_headers.so

2. Open Apache Configuration File

You can enable CORS in Apache by modifying Apache Server configuration file, or .htaccess file.

Using Apache Server Configuration File

If you have access to Apache server configuration file, open it in a text editor. Apache configuration file is located at any of the following locations, depending on your installation

  • /etc/apache2/httpd.conf
  • /etc/apache2/apache2.conf
  • /etc/httpd/httpd.conf
  • /etc/httpd/conf/httpd.conf
$ sudo vi /etc/apache2/httpd.conf

Using .htaccess file

If you don’t have access to Apache server configuration file, open .htaccess file in a text editor.

$ sudo vi /var/www/html/.htaccess

Bonus Read : How to Install Apache mod_security in Ubuntu

3. Enable CORS in Apache

To set Access-Control-Allow-Origin header in Apache, just add the following line inside either the <Directory><Location><Files> or <VirtualHost> sections of your file.

Header set Access-Control-Allow-Origin "*"

The above line will allow Apache to accept requests from all other domains. If you only want to accept CORS requests from specific domain (example.com), then use that domain instead of using * above.

Header set Access-Control-Allow-Origin "example.com"

Let us look at some of the use cases to allow CORS requests.

Directory Tag in Main Configuration File

In this case, the CORS requests will be allowed only to the specified folder & its subfolders on your website, and not all folders. Since we have added the configuration for root folder /var/www/html, it will be applicable to the entire website.

<Directory /var/www/html>
   ...
   Header set Access-Control-Allow-Origin "*"
   ...
</Directory>

Here is an example to allow CORS only for folder /projects.

<Directory /var/www/html>
 ...   
 Header set Access-Control-Allow-Origin "*" 
 ... 
</Directory>

Anywhere in .htaccess file

In this case, the CORS requests will be allowed only for the domain whose .htaccess file you have modified.

   ...
   Header add Access-Control-Allow-Origin "*"
   ...

VirtualHost Tag in Virtual Host Configuration File

In this case, the CORS requests will be allowed only for virtual host whose configuration file you have updated.

<VirtualHost *:443>
   ...
   Header add Access-Control-Allow-Origin "*"
   ...
</VirtualHost>

Bonus Read : How to Enable  TLS 1.3 in Apache

There are different configurations available to enable CORS in Apache.

Enable CORS from all websites

If you want to enable CORS for all websites, that is, accept cross domain requests from all websites, add the following

Header add Access-Control-Allow-Origin *;

In the above statement, we use wildcard (*) for Apache Access-Control-Allow-Origin directive

Enable  CORS from one domain

If you want to enable CORS for one website domain (e.g example.com), specify that domain in place of wildcard character *.

Header add Access-Control-Allow-Origin "example.com";

Enable CORS from multiple domains & subdomains

If you want to enable CORS for multiple domains (e.g example1.com, example2.com,example3.com and subdomain blog.example4.com), specify them separately one after another

Header add Access-Control-Allow-Origin "example1.com";
Header add Access-Control-Allow-Origin "example2.com";
Header add Access-Control-Allow-Origin "example3.com";
Header add Access-Control-Allow-Origin "blog.example4.com";

Enable CORS from localhost

If you want to enable CORS from localhost, add 127.0.0.1 or localhost in place of domain name

Header add Access-Control-Allow-Origin "localhost";

Bonus Read : How to Generate CSR for SSL Certificate in Linux

4.  Test Apache Configuration

Test Apache configuration to ensure that there are no errors.

$ sudo apachectl -t

Bonus Read : How to Install SSL Certificate on Apache Windows

5. Restart Apache Server

If you see no errors in previous steps, restart Apache web server

$ sudo systemctl restart apache2

Now your Apache web server will automatically server requests from other domains.

Ubiq makes it easy to visualize data in minutes, and monitor in real-time dashboards. Try it Today!

mm

About Ubiq

Ubiq is a powerful dashboard & reporting platform for small & medium businesses. Build dashboards, charts & reports for your business in minutes. Get insights from data quickly. Try it for free today!