DEV Community πŸ‘©β€πŸ’»πŸ‘¨β€πŸ’»

Cover image for CORS headers with dot net core 3
Russ Hammett
Russ Hammett

Posted on • Originally published at blog.kritner.com on

CORS headers with dot net core 3

Setting up a blanket CORS for .net core 3 is pretty simple, figuring out how to test it took longer than I care to realize…

This will hopefully be a short and sweet post, just wanna put this out there as a reminder, and to help someone that may just not realize much about testing changes with CORS.

The Project

Let’s create a new .net core 3 API with the command:

dotnet new webapi -n dotnetcoreCors.Api

command window create project command

Now let’s run it with dotnet run and see what we’re working with:

the running api

CORS

CORS being β€˜disabled’ by default is the safe thing to do, you don’t necessarily want any other website to be able to access your API on a user’s behalf, some nefarious deeds could potentially occur. You can read more about the background of CORS here. All that being said, here’s how to do a blanket allow all origins.

From the Startup.cs page, which should currently look like this:

Startup.cs

We’ll want to make a few updates.

In the void ConfigureServices(IServiceCollection services) method, we’ll want to add a CORS policy:

public void ConfigureServices(IServiceCollection services)
{
    // Add CORS policy
    services.AddCors(options =>
    {
        options.AddPolicy(AllowAllOriginsPolicy, // I introduced a string constant just as a label "AllowAllOriginsPolicy"
        builder =>
        {
            builder.AllowAnyOrigin();
        });
    });

    services.AddControllers();
}

and within public void Configure(IApplicationBuilder app, IWebHostEnvironment env):

public void Configure(IApplicationBuilder app, IWebHostEnvironment env)
{
    if (env.IsDevelopment())
    {
        app.UseDeveloperExceptionPage();
    }

    app.UseHttpsRedirection();
    app.UseRouting();
    app.UseCors(AllowAllOriginsPolicy);
    app.UseAuthorization();
    app.UseEndpoints(endpoints =>
    {
        endpoints.MapControllers();
    });
}

That’s all there is to it!

To test

Now to test our fancy new CORS header (here’s where I ended up having issues)… Let’s run our app again through dotnet run and hit our weatherForecast endpoint with Postman:

No header

Hmm. There’s no CORS header. This is actually expected (maybe for people that have worked more closely with HTTP headers). The CORS header is only present when needed - when the request is being done on behalf of another website, another origin.

We can update our postman get request to contain an β€œOrigin” header which will make our request look like it’s coming from a website, at which point the CORS header will be present:

CORS header

There are many options you can do with the CORS header, obviously you should not allow ALL origins as I did in my example code, unless that’s something you need. You can very easily restrict it to specific domains.

That’s it, CORS headers on your .net core 3 API, and how to confirm the header!

Full code (although not much) can be found:

https://github.com/Kritner-Blogs/dotnetcoreCors/releases/tag/v1

Top comments (0)

19 Valuable Github Repositories for Beginners

19 Valuable GitHub Repositories for beginner devs looking to take the first step into the web development career.