CORS (Cross-Origin Resource Sharing)
in C# and .NET

CORS, or Cross-Origin Resource Sharing, is a crucial security mechanism that enables web applications to request resources from different domains. Learn how to configure CORS in .NET to ensure secure and seamless API integration.

Jun 19, 2025

Moltech Solutions Inc.

85% Improved Security

CORS policies control access to your APIs from external sources.

70% Seamless API Integration

Cross-origin requests enable modern apps to connect across services.

60% Reduced Misconfig Errors

Proper setup of CORS reduces failed preflight and access issues.

Reading Progress0%

Quick Actions

Popular Tags

#CORS in .NET#Cross-Origin Resource Sharing#ASP.NET Core Security#Same-Origin Policy#CORS Configuration#Web API Integration#HTTP Headers#CORS Best Practices#C# Web Development#.NET 8.0

CORS (Cross-Origin Resource Sharing) in C# and .NET

The Ultimate Guide to Mastering Performance Optimization in React

Moltech Solution Inc.

March 6, 2024

Web Development

CORS, or Cross-Origin Resource Sharing, is a crucial security mechanism that enables web applications to request resources from a domain other than their own.

This blog post will explore the concept of CORS, its importance, and the steps to implement it successfully in C# and .NET frameworks.

1. What is CORS (Cross-Origin Resource Sharing)?

CORS (Cross-Origin Resource Sharing) is a browser security feature that regulates resource sharing between different domains to enhance security.

Controls access to web server resources by external domains.
Prevents unauthorized cross-origin requests by default.
Ensures secure data exchange between trusted origins.
Configurable on servers to allow specific origins or methods.

Scenario Overview

If you have a web application hosted onhttp://frontend-app.comthat needs to fetch data from a REST API hosted onhttp://api.backend-server.com, then you’re dealing with different origins (different domains). The browser enforces the Same-Origin Policy, which blocks requests made from one origin to another unless explicitly allowed by the server.

Let’s see an example of a shopping website fetching product data.

You visit https://mystore.com, an online shopping website. The website’s frontend needs to fetch product details, pricing, and inventory from its backend API hosted athttps://api.mystore.com. Since the frontend and backend are on different origins (different subdomains), the browser enforces the Same-Origin Policy and blocks the request unless CORS is properly configured.

1. The Frontend Makes a Request

When you browse the product page on https://mystore.com, the frontend sends a request to the backend API to fetch product data:

// Frontend request example
fetch('https://api.mystore.com/products', {
  method: 'GET',
  headers: { 'Content-Type': 'application/json' }
}).then(r => r.json());

2. Same-Origin Policy Check

The browser checks the origin of the request:

Frontend Origin:https://mystore.com
Backend API Origin:https://api.mystore.com

Since these origins are different, the browser enforces the Same-Origin Policy and blocks the request, returning a CORS error like this:

Access to fetch at 'https://api.mystore.com/products' from origin 'https://mystore.com' has been blocked by CORS policy.

How to Enable CORS in .NET 8.0

The scenario described can be addressed using the following example in .NET Core 8.0.

1. Add CORS Middleware

Make sure the Microsoft.AspNetCore. Cors package is installed (usually included by default in ASP.NET Core)

dotnet add package Microsoft.AspNetCore.Cors

Step 1: Add CORS Services

Add the CORS policy to allow requests from your frontend origin.

You can configure CORS by calling AddCors in the builder.Services section of your Program.cs file:

dotnet add package Microsoft.AspNetCore.Cors

// Program.cs (.NET 8)
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
    options.AddPolicy("AllowSpecificOrigin", policy =>
        policy.WithOrigins("https://mystore.com")
              .AllowAnyHeader()
              .AllowAnyMethod());
});

"AllowSpecificOrigin" is a policy name that can be used in middleware in the subsequent step.

Step 2: Apply the CORS Policy

Use the CORS middleware to apply the policy. This configuration can be applied globally across the entire application or tailored to specific endpoints.

Global Application

1
2
3

// Apply CORS globally
var app = builder.Build();
app.UseCors("AllowSpecificOrigin");

Per Endpoint

We can also Apply the CORS policy to specific controllers or endpoints:

1
2
3

// Apply CORS to a specific endpoint
app.MapGet("/products", () => Results.Ok(new [] { "Item1", "Item2" }))
   .RequireCors("AllowSpecificOrigin");

Step 3: Test the CORS Configuration

You can test the CORS headers using browser developer tools. Make sure the
Access-Control-Allow-Origin header is present in the server's response.

Ensure your API server includes the appropriate CORS headers in its responses when requests come from allowed origins like (https://mystore.com in this example).
Use your browser's developer tools (typically the Network tab) to inspect the API response and confirm that it includes the necessary headers such as

Access-Control-Allow-Origin: https://mystore.com

Access-Control-Allow-Origin: https://mystore.com

Key CORS Headers

Cross-Origin Resource Sharing (CORS) utilizes certain HTTP headers to decide if a browser should permit requests from different origins. These headers are crucial for securing cross-origin requests and adhering to the rules set by the server.

1. Access-Control-Allow-Origin: Defines the origins that are allowed to access the resource.

Access-Control-Allow-Origin: https://example.com

A missing or incorrect header results in the browser blocking the request.
Restricts access to trusted origins, preventing unauthorized cross-origin requests.

2. Access-Control-Allow-Methods : The HTTP methods permitted for cross-origin requests include GET, POST, and HEAD.

Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS

Make sure that the client is only able to carry out actions that are allowed on the resource.

3. Access-Control-Allow-Headers : Defines the HTTP headers that may be utilized within a request.

Access-Control-Allow-Headers: Content-Type, Authorization, X-Custom-Header

This enables the client to incorporate custom or restricted headers such as Authorization or X-Custom-Header.

4 . Access-Control-Expose-Headers : Response header specifies which headers are accessible to the browser in the response to a cross-origin request.

By default, browsers limit access to sensitive headers such as ‘Content-Length’ or custom headers.
This header allows clients to read specified headers, enhancing data access control.

5. Access-Control-Max-Age : The duration for which a browser can cache the results of a preflight request is specified by the `Access-Control-Max-Age` header. This value is set in seconds and dictates how long the preflight response is valid before a new preflight request must be made.

Access-Control-Max-Age: 3600

Minimizing repetitive preflight requests enhances performance.

6. Access-Control-Allow-Credentials: Indicates whether cookies or credentials can be sent in cross-origin requests.

Access-Control-Allow-Credentials: true

The Access-Control-Allow-Credentials header is crucial for enabling credentials like cookies, authorization headers, or TLS client certificates in cross-origin requests. It needs to be set to ‘true’ to activate this feature.

Tight Coupling with Access-Control-Allow-Origin, Access-Control-Allow-Credentials: true cannot be used with a wildcard (*) in the Access-Control-Allow-Origin header.

If misconfigured, credentials might be exposed to unauthorized origins, leading to security vulnerabilities like session hijacking or cross-site scripting (XSS).

Benefits of Using CORS

CORS is used to overcome the same-origin policy enforced by web browsers, which restricts web pages from making requests to a domain other than the one that served the web page. Here’s why CORS is essential:

- API Security:
- Browsers enforce the Same-Origin Policy to prevent websites from accessing resources on another domain unless explicitly allowed.
- This protects users from malicious websites trying to access sensitive data from other origins (like cookies or APIs) (cross-origin attacks)
Cross-Origin Requests in Modern Applications
- Many web applications involve cross-origin communication
- A frontend hosted athttps://example.comfetching data from an API athttps://api.example.com.
- Third-party integrations like Google Maps, payment gateways, or external APIs.
- Without CORS, such requests would be blocked by the browser.
Controlled Resource Sharing OR Flexibility CORS allows fine-grained control over shared resources:
- Define allowed origins, methods, and headers.
- Specify how long responses can be cached (Access-Control-Max-Age).
- Enable specific use cases like credentials sharing (Access-Control-Allow-Credentials).
Compliance with Browser Security Policies:
- Browsers enforce same-origin policies for a reason, and CORS helps maintain security while allowing legitimate cross-origin communication.

When Should We Use CORS?

CORS should be enabled in scenarios such as:

Frontend-Backend Hosted on Different Domains or SPA

For APIs or services hosted externally, such as payment gateways or cloud APIs.

Third-Party Integrations:

For APIs or services hosted externally, such as payment gateways or cloud APIs.

Cross-Origin API Calls

To fetch or send data to a server on a different domain.

Microservices Architecture:

A microservices-based system where services are deployed on different subdomains or hosts (e.g., auth.example.com, data.example.com).

There are many examples with different architectures.

Best Practices for Configuring CORS

Avoid Using Access-Control-Allow-Origin: *
- Allowing all origins (*) is insecure, especially for APIs that deal with sensitive data or require authentication.
- Dynamically set the Access-Control-Allow-Origin header based on the Origin header in the request.
Use Whitelisted Domains
- Restricting CORS to known, trusted domains minimizes the risk of unauthorized access.
Enable Access-Control-Allow-Credentials Only When NecessaryAccess-Control-Allow-Origin: *
- Allowing credentials (e.g., cookies, authorization headers) introduces security risks if origins are not tightly controlled.
- Combine it with an explicit Access-Control-Allow-Origin (wildcards are not allowed with credentials).
Leverage Access-Control-Max-Agefor Preflight Caching
- Preflight requests (OPTIONS) can introduce latency to API calls. Utilize the Access-Control-Max-Age header to cache preflight responses for an appropriate period, such as 3600 seconds, which is equivalent to one hour.
. Match theOriginHeader Dynamically
- A static Access-Control-Allow-Origin header may be unsuitable for APIs that serve multiple domains. Instead, dynamically match the incoming Origin header and set it accordingly in the response.

// Example dynamic CORS (simplified)
app.Use(async (context, next) =>
{
    var origin = context.Request.Headers["Origin"].ToString();
    var allowed = new[] { "https://mystore.com", "https://admin.mystore.com" };
    if (!string.IsNullOrEmpty(origin) && allowed.Contains(origin))
    {
        context.Response.Headers["Access-Control-Allow-Origin"] = origin;
        context.Response.Headers["Vary"] = "Origin";
        context.Response.Headers["Access-Control-Allow-Headers"] = "Content-Type, Authorization";
        context.Response.Headers["Access-Control-Allow-Methods"] = "GET, POST, PUT, DELETE, OPTIONS";
        context.Response.Headers["Access-Control-Allow-Credentials"] = "true";
    }
    await next();
});

You can configure “AllowedOrigins” within the appsettings.json file. as below example.

// appsettings.json
{
  "Cors": {
    "AllowedOrigins": [
      "https://mystore.com",
      "https://admin.mystore.com"
    ]
  }
}

Add a section in your appsettings.json to define the allowed origins and other CORS settings. Now, load the CORS settings from appsettings.json in Program.cs

// Program.cs - load from configuration
var allowedOrigins = builder.Configuration.GetSection("Cors:AllowedOrigins").Get<string[]>() ?? Array.Empty<string>();
builder.Services.AddCors(o => o.AddPolicy("AllowSpecificOrigin",
    p => p.WithOrigins(allowedOrigins)
          .AllowAnyHeader()
          .AllowAnyMethod()));

The approach mentioned offers benefits such as centralized configuration and environment-specific configurations.

. Protect Against CSRF (Cross-Site Request Forgery)

CORS does not prevent CSRF attacks, particularly when credentials are involved. Employ CSRF tokens and validate requests server-side. Make sure cookies are marked with SameSite=strict or SameSite=lax.

. Provide Clear Error Messages for Blocked Requests

Debugging CORS issues can pose a challenge for developers. It’s beneficial to log CORS errors on the server and offer meaningful messages to clients when their requests are blocked

Conclusion

CORS plays a crucial role in today’s web development, facilitating secure interactions across various domains, which is particularly vital for APIs and handling cross-origin requests. By incorporating CORS into .NET, developers can guarantee smooth communication for Single Page Applications, external integrations, and backend services.

Loading content...