ASP.NET – How to add a CORS policy to enable requests from the browser

When you send requests from the browser, you’ll run into CORS errors unless you’ve explicitly added a CORS policy that allows your requests.

I’ll show an example of adding a simple CORS policy that allows all origins for all endpoints (thus allowing all requests from the browser). To add a CORS policy, you can add two lines to the initialization code:

var builder = WebApplication.CreateBuilder(args);

// Add services to the container.

builder.Services.AddCors(o =>
	o.AddDefaultPolicy(b =>

// Learn more about configuring Swagger/OpenAPI at

var app = builder.Build();

// Configure the HTTP request pipeline.
if (app.Environment.IsDevelopment())





Code language: C# (cs)

Note: If you’re not using the latest project style (top-level statements), add these calls to Startup.ConfigureServices() and Startup.Configure().

Put whatever CORS policy makes sense for you. In the code above, I am simply allowing everything.

Next, I’ll show how to test that the CORS policy works as expected.

Test CORS locally

To test this locally you can call your web API from a browser from a page running on a different port. Chrome enforces CORS even when the port number is different, so that makes things simple for us to test this.

I have the following setup:

  • My ASP.NET web API is running on localhost:44379
  • My test page is running on localhost:44395

1 – Create a web page that calls your endpoint

I have a page with a button that says [Send ping]. It calls my web API endpoint and logs the results.

<script type="text/javascript" language="javascript">

    function sendPing() {
            .then(data => console.log(data))
            .then(res => console.log(res))

<div class="text-center">
    <button type="submit" onclick="javascript:sendPing()">Send ping</button>
Code language: HTML, XML (xml)

2 – Before enabling CORS, verify you get a CORS error

Send the request from the browser and check the console (Dev Tools / F12) to verify that you got a CORS error. A request that fails due to a CORS error will throw a generic error like “TypeError: Failed to fetch” and then show the CORS error in the console log. It looks like this:

(X) - Access to fetch at 'https://localhost:44379/ping' from origin 'https://localhost:44395' has been blocked by CORS policy...
(X) - GET https://localhost:44379/ping net::ERR_FAILED
(X) - TypeError: Failed to fetchCode language: plaintext (plaintext)

3 – After enabling CORS, verify the request succeeds

After adding the appropriate CORS policy (I’m simply allowing ALL requests), send a request from the browser and verify that it succeeds and there’s no CORS error in the console log. The console log should look like this:

Response {type: "cors", url: "https://localhost:44379/ping", status: 200....}
Fetch finished loading: GET "https://localhost:44379/ping"Code language: plaintext (plaintext)

Leave a Comment