ASP.NET – How to enable CORS for all endpoints

The simplest way to enable CORS for all endpoints is by adding a default CORS policy in the Startup class.

The following code shows the two lines of code to add:

public class Startup { public Startup(IConfiguration configuration) { Configuration = configuration; } public IConfiguration Configuration { get; } public void ConfigureServices(IServiceCollection services) { //1 - Add default CORS policy - I am simply allowing everything services.AddCors(o => o.AddDefaultPolicy(b => b.AllowAnyOrigin().AllowAnyMethod().AllowAnyHeader())); services.AddControllers(); } public void Configure(IApplicationBuilder app, IWebHostEnvironment env) { if (env.IsDevelopment()) { app.UseDeveloperExceptionPage(); } app.UseHttpsRedirection(); app.UseRouting(); //2 - Adds CORS middleware. This must be placed AFTER app.UseRouting(). app.UseCors(); app.UseAuthorization(); app.UseEndpoints(endpoints => { endpoints.MapControllers(); }); } }

Note: Put whatever CORS policy makes sense for you. In the code above, I am simply allowing everything.

Test CORS locally

To test this locally you can call your web API from a browser from a page running on a different port. Chrome enforces CORS even when the port number is different, so that makes things simple for us to test this.

I have the following setup:

  • My ASP.NET web API is running on localhost:44379
  • My test page is running on localhost:44395

1 – Create a web page that calls your endpoint

I have a page with a button that says [Send ping]. It calls my web API endpoint and logs the results.

<script type="text/javascript" language="javascript"> function sendPing() { fetch("https://localhost:44379/ping") .then(data => console.log(data)) .then(res => console.log(res)) .catch(error=>console.error(error)) } </script> <div class="text-center"> <button type="submit" onclick="javascript:sendPing()">Send ping</button> </div>

2 – Before you enable CORS, verify you get a 405 – Method Not Allowed

To be able to verify that the CORS policy works, I first have to verify that get a 405 – Method Not Allowed when the CORS policy isn’t enabled.

3 – After enabling CORS, verify your request is now allowed

I added the CORS policy to my web API. Then in my test page in the browser, I clicked the [Send ping] button and verified that this cross-origin request is now allowed.

Leave a Comment