What is the IIS CORS module?

Posted: 21.11.2018 19.14.54 (EET/GMT+2)

The IIS CORS module adds built-in support for handling Cross-Origin Resource Sharing (CORS) rules on IIS. Instead of implementing CORS logic in your application code (such as in ASP.NET), you can configure it at the web server level in web.config.

Once the IIS module is installed, you can enable CORS for a site like this:

<configuration>
  <system.webServer>
    <cors enabled="true">
      <add origin="https://example.com">
        <allowHeaders allowAllRequestedHeaders="true" />
        <allowMethods>
          <add method="GET" />
          <add method="POST" />
        </allowMethods>
      </add>
    </cors>
  </system.webServer>
</configuration>

IIS will then respond with the appropriate Access-Control-Allow-Origin, Access-Control-Allow-Methods and related HTTP headers when the browser sends CORS preflight requests.

This is helpful when:

You are hosting multiple applications (APIs, perhaps) on the same IIS server and want to specify CORS rules only once.
You prefer configuration over code for CORS handling.

For ASP.NET Core, you can also use the built-in CORS middleware, but for classic ASP.NET or mixed environments, the separate IIS CORS module is a nifty option.