How to Enable CORS on Server

  Tech Blog abhishekjnvk   Jan 7, 2023   0
How to Enable CORS on Server

In this blog post, We'll provide step-by-step instructions on how to enable CORS in a variety of programming languages, including JavaScript, PHP, Python, go, and Java. Whether you're a web developer or a system administrator, this post will give you the knowledge and tools you need to securely allow cross-domain requests on your server. let's start with the basics. What is CORS?

What is CORS

Cross-origin resource sharing (CORS) is a browser mechanism which enables controlled access to resources located outside of a given domain. It allows web pages to make requests to a different domain than the one that served the web page. read more about cors

Let's See how to enable CORS on server in different programming languages.

PHP

Method 1

To enable CORS (Cross-Origin Resource Sharing) in PHP, you can use the header function to set the appropriate HTTP headers in the response. Here is an example of how to enable CORS in a PHP script:

The Access-Control-Allow-Origin header specifies which domains are allowed to access the resource. In this example, the value * allows any domain to access the resource. You can also specify specific domains by listing them separated by commas.

The Access-Control-Allow-Methods header specifies which HTTP methods are allowed when accessing the resource. In this example, the value GET, POST, PUT, DELETE, OPTIONS allows all common HTTP methods.

The Access-Control-Allow-Headers header specifies which HTTP headers are allowed when accessing the resource. In this example, the value X-Requested-With, Content-Type, Accept allows common headers that are often used in HTTP requests.

Note that these headers must be set in the server's response to a preflight request (an OPTIONS request) made by the client before the actual request is made. This allows the client to check if the server allows the actual request before making it.

Method 2

It is also possible to enable CORS in PHP using the .htaccess file or by configuring the server directly. Consult the documentation for your server and PHP environment for more information on these options.

To enable CORS (Cross-Origin Resource Sharing) in PHP using .htaccess, you can add the following lines to your .htaccess file:

Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "GET, POST, PUT, DELETE, OPTIONS"
Header set Access-Control-Allow-Headers: "Content-Type, Accept"

This will allow your PHP scripts to be accessed from any domain. If you want to allow access only from specific domains, you can replace the "*" with a comma-separated list of domains. For example:

Header set Access-Control-Allow-Origin "http://example.com, http://www.example.com"

It's worth noting that the .htaccess file must be placed in the root directory of your website, and the Apache web server must have the mod_headers module enabled for these headers to be accepted.

Node.js

Method 1

To handle CORS (Cross-Origin Resource Sharing) in a Node.js server, you can use the cors middleware. Here is an example of how to use the cors middleware in an Express.js server:

const express = require("express")
const cors = require("cors")
const app = express()
app.use(cors())

app.get("/", (req, res) => {
  res.send("Hello, World!")
})
app.listen(3000, () => {
  console.log("Server listening on port 3000")
})

In this example, the cors middleware is used to enable CORS for all routes in the Express.js server. This allows clients from any domain to access the server's resources.

You can also use the cors middleware to specify which domains are allowed to access the server's resources by passing an options object to the cors function. For example:

app.use(
  cors({
    origin: ["http://example.com", "http://example.org"],
    methods: ["GET", "POST"],
    allowedHeaders: ["Content-Type", "Authorization"],
  })
)

In this example, the origin option specifies that only requests from http://example.com and http://example.org are allowed to access the server's resources. The methods option specifies that only GET and POST requests are allowed. The allowedHeaders option specifies which HTTP headers are allowed in the request.

Needless to say that the cors middleware is just one way to handle CORS in a Node.js server. You can also use other libraries or write your own custom CORS handling code.

Method 2

Alternatively, you can also write your own custom CORS handling code by setting the appropriate HTTP headers in your Node.js server. Here is an example of how you can do this:

app.use((req, res, next) => {
  res.header("Access-Control-Allow-Origin", "*")
  res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
  res.header("Access-Control-Allow-Headers", "Content-Type, Accept")
  next()
})

This will allow your Node.js server to be accessed from any domain. If you want to allow access only from specific domains, you can replace the "*" with a comma-separated list of domains. For example:

res.header(
  "Access-Control-Allow-Origin",
  "http://example.com, http://www.example.com"
)

Flask

Method 1

To handle CORS (Cross-Origin Resource Sharing) in a Python server, you can use the flask-cors library. Here is an example of how to use flask-cors in a Flask server:

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)
CORS(app)

@app.route('/')
def hello():
    return 'Hello, World!'

if __name__ == '__main__':
    app.run()

In this example, the CORS function is used to enable CORS for all routes in the Flask server. This allows clients from any domain to access the server's resources.

You can also use the CORS function to specify which domains are allowed to access the server's resources by passing an options object to the CORS function. For example:

CORS(app, origins=['http://example.com', 'http://example.org'], methods=['GET', 'POST'], allow_headers=['Content-Type', 'Authorization'])

In this example, the origins option specifies that only requests from http://example.com and http://example.org are allowed to access the server's resources. The methods option specifies that only GET and POST requests are allowed. The allow_headers option specifies which HTTP headers are allowed in the request.

It is worth noting that flask-cors is just one way to handle CORS in a Python server. You can also use other libraries or write your own custom CORS handling code.

Method 2:

Alternatively, you can also write your own custom CORS handling code by setting the appropriate HTTP headers in your Flask server. Here is an example of how you can do this:

@app.after_request
def after_request(response):
  response.headers.add('Access-Control-Allow-Origin', '*')
  response.headers.add('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS')
  response.headers.add('Access-Control-Allow-Headers', 'Content-Type, Accept')
  return response

This will allow your Flask server to be accessed from any domain. If you want to allow access only from specific domains, you can replace the "*" with a comma-separated list of domains. For example:

response.headers.add('Access-Control-Allow-Origin', 'http://example.com, http://www.example.com')

GO

Method 1:

To handle CORS (Cross-Origin Resource Sharing) in a Go server, you can use the goji/cors middleware. Here is an example of how to use the goji/cors middleware in a Goji server:

package main
import (
	"net/http"
	"goji.io"
	"goji.io/pat"
	"golang.org/x/net/context"
	"github.com/goji/cors"
)

func main() {
	mux := goji.NewMux()

	// Enable CORS for all routes
	mux.Use(cors.Default().Handler)

	mux.HandleFuncC(pat.Get("/"), func(ctx context.Context, w http.ResponseWriter, r *http.Request) {
		w.Write([]byte("Hello, World!"))
	})

	http.ListenAndServe(":3000", mux)
}

In this example, the cors.Default().Handler function is used to enable CORS for all routes in the Goji server. This allows clients from any domain to access the server's resources.

You can also use the cors.New function to specify which domains are allowed to access the server's resources by passing an options object to the cors.New function. For example:

corsMiddleware := cors.New(cors.Options{
	AllowedOrigins:   []string{"http://example.com", "http://example.org"},
	AllowedMethods:   []string{"GET", "POST"},
	AllowedHeaders:   []string{"Content-Type", "Authorization"},
	AllowCredentials: true,
})
mux.Use(corsMiddleware.Handler)

In this example, the AllowedOrigins option specifies that only requests from http://example.com and http://example.org are allowed to access the server's resources. The AllowedMethods option specifies that only GET and POST requests are allowed. The AllowedHeaders option specifies which HTTP headers are allowed in the request. The AllowCredentials option specifies whether or not the server allows credentials in the request.

It is worth noting that the goji/cors middleware is just one way to handle CORS in a Go server. You can also use other libraries or write your own custom CORS handling code.

Method 2:

To write your own custom CORS handling code in Go, you can use the net/http package to set the appropriate HTTP headers. Here is an example of how you can do this:

func handler(w http.ResponseWriter, r *http.Request) {
  w.Header().Set("Access-Control-Allow-Origin", "*")
  w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
  w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Accept")
  // your route code goes here
}

This will allow your Go server to be accessed from any domain. If you want to allow access only from specific domains, you can replace the "*" with a comma-separated list of domains. For example:

w.Header().Set("Access-Control-Allow-Origin", "http://example.com, http://www.example.com")

You can also use the http.Handler interface to wrap your routes and automatically set the CORS headers for all responses. Here is an example of how you can do this:

type corsHandler struct {
  h http.Handler
}

func (ch corsHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
  w.Header().Set("Access-Control-Allow-Origin", "*")
  w.Header().Set("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS")
  w.Header().Set("Access-Control-Allow-Headers", "Content-Type, Accept")
  ch.h.ServeHTTP(w, r)
}

func main() {
  http.Handle("/api/data", corsHandler{http.HandlerFunc(handler)})
  // your server code goes here
}

This will allow you to wrap your routes with the CORS handling code, without having to repeat it for each route.

JAVA

To enable CORS (Cross-Origin Resource Sharing) in a Java server, you can use the javax.ws.rs.container.ContainerResponseFilter interface. Here is an example of how to implement a ContainerResponseFilter in a Java server using the Jersey library:

import java.io.IOException;

import javax.ws.rs.container.ContainerRequestContext;
import javax.ws.rs.container.ContainerResponseContext;
import javax.ws.rs.container.ContainerResponseFilter;
import javax.ws.rs.core.MultivaluedMap;

public class CORSResponseFilter implements ContainerResponseFilter {

  public void filter(ContainerRequestContext requestContext, ContainerResponseContext responseContext)
      throws IOException {

    MultivaluedMap<String, Object> headers = responseContext.getHeaders();

    headers.add("Access-Control-Allow-Origin", "*");
    headers.add("Access-Control-Allow-Methods", "GET, POST, DELETE, PUT");
    headers.add("Access-Control-Allow-Headers", "X-Requested-With, Content-Type, Accept");
  }
}

In this example, the filter method is called for every response sent by the server and adds the necessary CORS headers to the response. The Access-Control-Allow-Origin header specifies which domains are allowed to access the resource. In this example, the value * allows any domain to access the resource. You can also specify specific domains by listing them separated by commas. The Access-Control-Allow-Methods header specifies which HTTP methods are allowed when accessing the resource. The Access-Control-Allow-Headers header specifies which HTTP headers are allowed when accessing the resource.

To register the CORSResponseFilter in your Jersey server, you can use the register method of the ResourceConfig class:

ResourceConfig rc = new ResourceConfig();
rc.register(CORSResponseFilter.class);

It is worth noting that this is just one way to enable CORS in a Java server using the Jersey library. You can also use other libraries or write your own custom CORS handling code. Consult the documentation for your server and libraries for more information on how to enable CORS in your specific environment.

Tags

If you like this article, don't forget to share it with your friends and colleagues.