I am running my apache on http://localhost:8083 and i am calling an API hosted on local box i.e. http://localhost:8082
I want to map http://localhost:8083/test-call/abc/authorize call to actual service call i.e. http://localhost:8082/TestCall/abc/authorize.
I have rewrite engine as follows in httpd.conf file:
RewriteEngine on
RewriteRule "^/test-call/(.*)$" "http://localhost:8082/TestCall/$1"
I can see that the call is being mapped correctly from developer console of chrome i.e. http://localhost:8082/TestCall/abc/authorize and i have disabled CORS on my browser as i am testing the API call only.
I have added the following headers in my httpd.conf file:
Header set Access-Control-Allow-Origin "http://localhost:8083"
Header always set Access-Control-Allow-Headers "Authorization, X-Requested-With, Content-Type, content-type, x-requested-with, Accept, Access-Control-Allow-Origin, Cache-Control"
Header always set Cache-Control "no-cache, no-store, must-revalidate"
Header always set Access-Control-Allow-Methods "GET, POST, DELETE, HEAD, OPTIONS"
Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"
Header always set Access-Control-Max-Age "3600"
Header always set REMOTE_USER "abc.def#db.com"
It's a react application and the bundles are getting loaded correctly with the specified headers above and also the REMOTE_USER is getting added to the REPONSE_HEADERS but for the rewritten URL, the headers are not getting applied.
I want to pass the REMOTE_USER header in the API call after rewrite/redirect.
I have enabled mod_headers and mod_rewrite.
What am i missing?
I'm using the Fetch API in Javascript to fetch an image from a cross-origin apache server (which I control) but I'm getting the following errors:
SEC7120: [CORS] The origin 'http://origin.com' did not find 'http://origin.com' in the Access-Control-Allow-Origin response header for cross-origin resource cross-origin.com/….jpg
HTTP401: DENIED - The requested resource requires user authentication.
(Fetch)GET cross-origin.com/….jpg
Below is the javascript which creates the request object to fetch the jpg:
var authb64 = btoa(\'' . $xrefrec['ftp_username'] . ':' . $xrefrec['ftp_password'] . '\');
const request = new Request(document.getElementById(thm.photo_id).href,{
\'Access-Control-Request-Headers\': \'Authorization\',
\'Options\': \'* HTTP/1.1\',
\'Authorization\': \'Basic \' + authb64,
\'Origin\': \'http://origin.com\',
\'Credentials\': \'include\',
\'Cache\': \'no-cache\',
\'Mode\': \'cors\',
\'Method\': \'GET\'
});
The code creates an anchor tag, passes the request to fetch(), then awaits the Promise to resolve.
On the server, I've setup a .htaccess file in the directory where the images reside, as follows:
AuthName "Client Only"
AuthType Basic
AuthBasicProvider dbm
AuthDBMUserFile "C:/Bitnami/wampstack-7.3.11-0/apps/.../conf/.htdbm-users"
Require user (valid user id)
RewriteRule ^/(clientgalleries).*$/ $1
Header set Access-Control-Allow-Methods "GET,OPTIONS"
Header set Access-Control-Allow-Credentials "true"
Header set Cache-Control no-cache
Header set Access-Control-Allow-Headers "Authorization,Access-Control-Allow-Origin"
Header set WWW-Authenticate: Basic
Header set Access-Control-Allow-Origin "http://origin.com"
If I understand it correctly, you're trying to make a CORS request from an unknown domain (you haven't shared it - thats ok) to origin.com. Is this correct?
The Origin header cannot be changed by your JavaScript code. For example if you have javascript from A.com requesting the image from B.com, then B.com must allow A.com in its Access-Control-Allow-Origin header.
Using apache mod_proxy 2.5 I'm trying to merge or replace an existing access-control-allow-origin header with mod_headers in a proxypass location.
the answer returned from proxied backend already includes a access-control-allow-origin header which I'd like to merge or replace
Header always merge Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "OPTIONS, GET"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token, x-smp-appcid"
This results in a header duplicate which raises an error in all browser cause this header can only occur once.
same is for Header always set although this should replace the existing header.
I also tried to use if module to first check for the headers occurence and only set if unset. but it's somehow hard to look into response headers.
any help is appreciated
I got through the same problem by setting the Access-Control-Allow-Origin and Access-Control-Allow-Credentials headers only when its a preflight request
The second request ( POST, DELETE, PUT etc ) which is handled by the proxied backend ( which already sends the required headers ) is not a preflight request and hence the headers would not be set again by the Apache rules.
To check for preflight request, you could check whether the request contains:
REQUEST_METHOD == OPTIONS
Access-Control-Request-Method !-= ""
Origin != ""
Hope this helps.
My website supports both http and https protocols. However using the code below in .htaccess file, I can only set one domain to allow CORS requests:
Header set Access-Control-Allow-Origin: http://example.com
I want to allow CORS for both http and https versions of my site (not just "*") and tried the solutions here:
Access-Control-Allow-Origin Multiple Origin Domains?
But the problem is that all solutions rely on Origin header in the request which may not exist and also is not secure. (anyone can put a origin header in their request)
I want to know if the request has been served over https and use this info to set the proper CORS header. Something like this:
SetEnvIf servedOverHttps httpsOrigin=true
Header set Access-Control-Allow-Origin: https://example.me env=httpsOrigin
SetEnvIf notServedOverHttps httpOrigin=true
Header set Access-Control-Allow-Origin: http://example.me env=httpOrigin
How can I find out that it's a https request?
Have you tried using HTTPS variable?
It will be set to "on" for all https requests.
Your .htaccess should look like this
Header set Access-Control-Allow-Origin: http://example.com #default
Header set Access-Control-Allow-Origin: https://example.com env=HTTPS #override if https
I want to configure apache for cross-domain access header. I have tried multiple combination as suggested on number of threads on the forum. But its not working for me.
The ways, I have tried:
1) Specify domain on different line as below with Header set :
Header set Access-Control-Allow-Origin "example1.com"
Header set Access-Control-Allow-Origin "example2.com"
Header set Access-Control-Allow-Origin: "example3.com"
With this setup its picking only last one and ignore rest of all.
2) Specify domain on different line as below with Header add :
Header add Access-Control-Allow-Origin "example1.com"
Header add Access-Control-Allow-Origin "example2.com"
Header add Access-Control-Allow-Origin: "example3.com"
With this its showing all three domains in header, but fonts are not getting picked up on Firefox.
3.) Tried Using SetEnvIf, but again its not working :
SetEnvIf Origin "http(s)?://(www\.)?(mydomain.com|mydomain2.com)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Finally working with "*", but I don't want to use this.
Please help with this.
For 3 domains, in your .htaccess:
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(domain1.org|domain2.com|domain3.net)$" AccessControlAllowOrigin=$0$1
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
I've tried this and it works for me. Let me know if it doesn't for you.
Unless I'm misunderstanding the manual, it should be:
Header always append Access-Control-Allow-Origin: "example1.com"
Header always append Access-Control-Allow-Origin: "example2.com"
Header always append Access-Control-Allow-Origin: "example3.com"
The manual states that the set and add actions behave in the following way:
set: "The response header is set, replacing any previous header with this name"
add: "...This can result in two (or more) headers having the same name. This can lead to unforeseen consequences..."
To restrict access to certain URIs checkout these docs:
CrossOriginRequestSecurity
Server-Side Access Control#Apache_examples
One helpful trick is to use an Apache rewrite, environment variable, and headers to apply Access-Control-Allow-* to certain URIs. This is useful, for example, to constrain cross-origin requests to GET /api(.*).json requests without credentials:
RewriteRule ^/api(.*)\.json$ /api$1.json [CORS=True]
Header set Access-Control-Allow-Origin "*" env=CORS
Header set Access-Control-Allow-Methods "GET" env=CORS
Header set Access-Control-Allow-Credentials "false" env=CORS
Also, in general, according to W3 Wiki - CORS Enabled#For_Apache
To expose the header, you can add the following line inside Directory, Location, and Files sections, or within an .htaccess file.
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
</IfModule>
AND, you can use add rather than set, but be aware that add can add the header multiple times, so it's generally safer to use set.
Try this one, it works for me.
Apply in .htaccess:
SetEnvIf Origin "^http(s)?://(.+\.)?(domain\.org|domain2\.com)$" origin_is=$0
Header always set Access-Control-Allow-Origin %{origin_is}e env=origin_is
Will be work 100%, Apply in .htaccess:
# Enable cross domain access control
SetEnvIf Origin "^http(s)?://(.+\.)?(domain1\.com|domain2\.org|domain3\.net)$" REQUEST_ORIGIN=$0
Header always set Access-Control-Allow-Origin %{REQUEST_ORIGIN}e env=REQUEST_ORIGIN
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "x-test-header, Origin, X-Requested-With, Content-Type, Accept"
# Force to request 200 for options
RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule .* / [R=200,L]
For Apache 2.4, I have used SET command for the Apache web server to set Header dynamically.
<IfModule mod_deflate.c>
# CORS
SetEnvIfNoCase Origin "http(s)?://(\w+\.)?(example.com|localhost)(:[0-9]+)?$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
ADD command didn't work for me.
I am using this in my .htaccess file for allowing access to multiple domains
<ifModule mod_headers.c>
SetEnvIf Origin "http(s)?://(localhost:25120|domain.com|domain2.com)$" AccessControlAllowOrigin=$0
Header add Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header always set Access-Control-Allow-Methods: "GET,POST,OPTIONS,DELETE,PUT"
</ifModule>
For Multiple domains, in your .htaccess:
<IfModule mod_headers.c>
SetEnvIf Origin "http(s)?://(www\.)?(domain.com|domain.online|domain.in|domain.net|domain.site|domain.website|domain.space)$" AccessControlAllowOrigin=$0
Header set Access-Control-Allow-Origin %{AccessControlAllowOrigin}e env=AccessControlAllowOrigin
Header set Access-Control-Allow-Credentials true
</IfModule>
it 100% works for me
This works for me in Classic ASP:
If Request.ServerVariables("HTTP_ORIGIN") = "http://domain1.com" Then
Response.AddHeader "Access-Control-Allow-Origin","http://domain1.com"
ElseIf Request.ServerVariables("HTTP_ORIGIN") = "http://domain2.com" Then
Response.AddHeader "Access-Control-Allow-Origin","http://domain2.com"
'and so on
End If