Restrict or allow resource sharing between sites using CORS header.
CORS (Cross-Origin Resource Sharing) header is supported on all modern browsers.
Can I Use cors? Data on support for the cors feature across the major browsers from caniuse.com.
By default, the browser restricts cross-origin HTTP requests through scripts. And, CORS can be handy to reuse the common application resources on other web applications. Once it is added correctly, it instructs the browser to load the application from a different origin.
There are six popular types of CORS headers a server can send. Let’s explore them.
The most popular one that it tells the browser to load the resources on the allowed origin. It supports wildcard (*) and doing so any domain can load the resources. However, it does have an option to allow a specific origin.
Add the following in httpd.conf or any other in-use configuration file.
Header set Access-Control-Allow-Origin "*"
Restart the Apache to test. You should see them in response headers.
And, to allow from a specific origin (ex: https://gf.dev), you can use the following.
Header set Access-Control-Allow-Origin "https://gf.dev"
Here is an example to allow origin https://geekflare.dev. Add the following in the server block of nginx.conf or in-use configuration file.
I hope the above helps you to implement the CORS header in Apache HTTP and the Nginx web server for better security. You may also be interested in applying OWASP recommended secure headers.
As the founder of Geekflare, I’ve helped millions to excel in the digital realm. Passionate about technology, I’m on a mission to explore the world and amplify growth for professionals and businesses alike.
Apache is the most popular Web Server, and if you intend to work as a Middleware/System/Web administrator, then you must be familiar with it. Apache HTTP is an open-source Web Server for Windows & UNIX.