Other topics

Enabling CORS for WebAPI 2

// Global.asax.cs calls this method at application start
public static void Register(HttpConfiguration config)
    // New code

//Enabling CORS for controller after the above registration
[EnableCors(origins: "", headers: "*", methods: "*")]
public class TestController : ApiController
    // Controller methods not shown...

Enabling CORS globally for Web API 2

public static void Register(HttpConfiguration config)
    var corsAttr = new EnableCorsAttribute("", "*", "*");

Enabling CORS in Asp.Net 5 for all domains and methods

public void ConfigureServices(IServiceCollection services)
    services.AddCors(o => o.AddPolicy("MyPolicy", builder =>

    // ...

public void Configure(IApplicationBuilder app)

    // ...

Enabling CORS in Asp.Net 5 for specific domains and methods

public void ConfigureServices(IServiceCollection services)
    services.ConfigureCors(options =>
         options.AddPolicy("AllowSpecific", p => p.WithOrigins("http://localhost:1233")

Configure CORS for WebAPI 2 with Windows Authentication

The following server-side configuration allows CORS request to work along with Windows Authentication (no anonymous must be enabled in IIS).

web.config - allow unauthenticated (anonymous) preflight requests (OPTIONS)

    <authentication mode="Windows" />
        <allow verbs="OPTIONS" users="*"/>
        <deny users="?" />

global.asax.cs - properly reply with headers that allow caller from another domain to receive data

protected void Application_AuthenticateRequest(object sender, EventArgs e)
    if (Context.Request.HttpMethod == "OPTIONS")
        if (Context.Request.Headers["Origin"] != null)
            Context.Response.AddHeader("Access-Control-Allow-Origin", Context.Request.Headers["Origin"]);

        Context.Response.AddHeader("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, MaxDataServiceVersion");
        Context.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
        Context.Response.AddHeader("Access-Control-Allow-Credentials", "true");


CORS enabling

public static class WebApiConfig
    public static void Register(HttpConfiguration config)
        // all requests are enabled in this example. SupportsCredentials must be here to allow authenticated requests          
        var corsAttr = new EnableCorsAttribute("*", "*", "*") { SupportsCredentials = true };

protected void Application_Start()

Properly send authenticated request from jQuery against Web API 2 endpoint

The following example shows how to properly construct both GET and POST requests against Web API 2 (CORS must be configured server-side, if sent from another domain):

<script type="text/javascript" src=""></script>
CORS with Windows Authentication test
<script type="text/javascript">

    // GET
        url: "endpoint url here",
        type: "GET",
        dataType: "json",
            xhrFields: {
            withCredentials: true
    .done(function (data, extra) {
      alert("GET result" + JSON.stringify(data));
    .fail(function(data, extra) {
        url: "url here",
        type: "POST",
        contentType: 'application/json; charset=utf-8',
        data: JSON.stringify({testProp: "test value"}),
        xhrFields: {
            withCredentials: true
        success: function(data) { 
            alert("POST success - " + JSON.stringify(data)); 
    .fail(function(data) {
        alert("Post error: " + JSON.stringify(;

Server-side code:

    public HttpResponseMessage GetRequestUsername()
        var ret = Request.CreateResponse(
            new { Username = SecurityService.GetUsername() });
        return ret;

    public HttpResponseMessage TestPost([FromBody] object jsonData)
        var ret = Request.CreateResponse(
            new { Username = SecurityService.GetUsername() });
        return ret;

Properly send authenticated request from AngularJS against Web API 2 endpoint

<script type="text/javascript" src=""></script>
CORS with Windows Authentication test (Angular)
<script type="text/javascript">

    var app = angular.module('myApp', []);
    app.controller('myCtrl', function($http) {
                method: 'GET',
                url: 'url here',
                withCredentials: true,
        .then(function(data) {
            alert("Get result = " + JSON.stringify(;
        function(data, extra) {
            alert("Get failed: " + JSON.stringify(;

                method: 'POST',
                url: "url here", 
                withCredentials: true,
                data: { url: "some url", message: "some message", type: "some type"}
        .then(function(data) {
            alert("POST success - " + JSON.stringify(;
        function(data) {
            alert("POST failed: " + JSON.stringify(;

<div ng-app="myApp" ng-controller="myCtrl">


Topic Id: 4185

Example Ids: 14644,14645,14646,14647,27674,27675,27676

This site is not affiliated with any of the contributors.