Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers to prevent unauthorized access to resources from a different domain. In modern web development, where APIs are often accessed across multiple domains, correctly implementing CORS is crucial for security. In this article, we’ll explore how to implement CORS in .NET to ensure secure API access, providing detailed examples and explanations.
What is CORS?
CORS allows web servers to define which origins (domains) are allowed to access resources. Without CORS, web browsers restrict cross-origin HTTP requests initiated from scripts running in a different domain than the server.
For example, if a frontend application hosted at https://frontend.com wants to send a request to an API at https://api.example.com, CORS headers must be properly configured to allow this cross-origin interaction.
Why is CORS Important?
CORS prevents malicious websites from accessing sensitive resources from another domain without explicit permission. Without proper CORS configuration, your API can be vulnerable to security threats such as Cross-Site Request Forgery (CSRF) and data breaches. Properly configuring CORS ensures that your API is accessed only by trusted domains while blocking requests from unauthorized origins.
Setting up a .NET Web API Project
To demonstrate CORS implementation, we will start by setting up a .NET Web API project. We assume you’re using .NET 6 or later, but the same principles apply to earlier versions with slight modifications.
Creating a .NET Web API Project
Open a command prompt or terminal, and run the following command to create a new .NET Web API project:
dotnet new webapi -n CorsExample
Once the project is created, navigate to the project directory:
cd CorsExample
Adding CORS Middleware
CORS configuration is done in the Startup.cs file (for .NET 5 or earlier) or Program.cs in .NET 6 or later. For this example, we’ll use .NET 6. Open Program.cs and add the following code to enable CORS.
Basic CORS Configuration in .NET
Let’s begin by adding the most basic CORS configuration to your API, which allows any origin to access it.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
options.AddDefaultPolicy(builder =>
{
builder.AllowAnyOrigin()
.AllowAnyMethod()
.AllowAnyHeader();
});
});
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseCors(); // Enable CORS middleware
app.UseAuthorization();
app.MapControllers();
app.Run();
Explanation
- AllowAnyOrigin(): This method allows any origin to access the API. While useful for development, it’s not recommended for production.
- AllowAnyMethod(): It permits all HTTP methods (GET, POST, PUT, DELETE, etc.).
- AllowAnyHeader(): It allows any request headers to be sent.
Although this setup is simple, it opens the API to all origins, which can be a security risk in production environments. The following sections will show how to make CORS configuration more secure.
Restricting CORS for Security
In a secure production environment, you should restrict which origins, methods, and headers are allowed. This is particularly important when you need to limit API access to specific trusted domains.
Restricting CORS to Specific Origins
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
options.AddPolicy(“SpecificOrigins”, policy =>
{
policy.WithOrigins(“https://trustedclient.com”, “https://anothertrusted.com”)
.AllowAnyMethod()
.AllowAnyHeader();
});
});
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseCors(“SpecificOrigins”);
app.UseAuthorization();
app.MapControllers();
app.Run();
In this example, only https://trustedclient.com and https://anothertrusted.com are allowed to make requests to the API. This ensures that no other origins can access the API, reducing the attack surface.
Customizing CORS for Specific Scenarios
Allowing Only Specific HTTP Methods
You can also restrict which HTTP methods are allowed, for example, if your API should only support GET and POST requests:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
options.AddPolicy(“LimitedMethods”, policy =>
{
policy.WithOrigins(“https://trustedclient.com”)
.WithMethods(“GET”, “POST”)
.AllowAnyHeader();
});
});
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseCors(“LimitedMethods”);
app.UseAuthorization();
app.MapControllers();
app.Run();
In this configuration, the API only accepts GET and POST requests from https://trustedclient.com. Any other HTTP methods, like PUT or DELETE, will be blocked.
Allowing Specific Headers
Sometimes, you may want to allow only certain headers in requests. This is useful for ensuring that only trusted headers are processed by your API.
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
options.AddPolicy(“LimitedHeaders”, policy =>
{
policy.WithOrigins(“https://trustedclient.com”)
.WithMethods(“GET”, “POST”)
.WithHeaders(“Content-Type”, “Authorization”);
});
});
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseCors(“LimitedHeaders”);
app.UseAuthorization();
app.MapControllers();
app.Run();
In this case, only requests with the Content-Type and Authorization headers will be accepted. All other headers will be blocked, adding another layer of security.
Handling Preflight Requests
Browsers send an “OPTIONS” request before making actual requests to the server to check if the CORS policy allows the requested action. This is called a “preflight request.”
You may need to explicitly handle these preflight requests, especially if your API needs to respond to them. Here’s how you can configure CORS to handle OPTIONS requests:
var builder = WebApplication.CreateBuilder(args);
builder.Services.AddCors(options =>
{
options.AddPolicy(“PreflightPolicy”, policy =>
{
policy.WithOrigins(“https://trustedclient.com”)
.WithMethods(“GET”, “POST”, “OPTIONS”)
.AllowAnyHeader();
});
});
builder.Services.AddControllers();
var app = builder.Build();
app.UseHttpsRedirection();
app.UseCors(“PreflightPolicy”);
app.UseAuthorization();
app.MapControllers();
app.Run();
By allowing the OPTIONS method explicitly, you ensure that preflight requests are handled smoothly by the server.
Applying CORS to Specific Controllers or Actions
In some cases, you might not want to apply CORS globally. Instead, you can restrict CORS to specific controllers or even individual actions.
CORS on a Controller
[]
[]
public class ExampleController : ControllerBase
{
[]
[] // Apply CORS to this action
public IActionResult Get()
{
return Ok("CORS is enabled for this action.");
}
}
In this example, CORS is enabled only for the Get action in the ExampleController. This is useful when different controllers or actions require distinct CORS configurations.
Disabling CORS for a Specific Action
You may also want to disable CORS for certain actions, even if it’s enabled globally:
[]
[]
public class AnotherController : ControllerBase
{
[]
[] // Disable CORS for this action
public IActionResult Get()
{
return Ok("CORS is disabled for this action.");
}
}
Testing CORS Configuration
To verify your CORS setup, you can use tools like Postman or create a simple frontend application. Here’s an example using JavaScript:
fetch('https://api.example.com/endpoint', {
method: 'GET',
headers: {
'Content-Type': 'application/json',
'Authorization': 'Bearer your-token-here'
}
})
.then(response => response.json())
.then(data => console.log(data))
.catch(error => console.error('Error:', error));
Try testing from different origins and see if your API allows or blocks the requests according to the CORS policy.
Conclusion
CORS is an essential part of web security, especially for APIs that are accessed from multiple origins. In .NET, configuring CORS is straightforward but must be done thoughtfully to avoid security vulnerabilities. By allowing only trusted origins, specific HTTP methods, and headers, you can significantly reduce the attack surface of your API.
For production environments, always remember to:
- Restrict origins to trusted domains.
- Allow only necessary HTTP methods and headers.
- Test preflight requests to ensure proper handling.
Implementing secure CORS policies in .NET protects your API from unauthorized access and ensures that your web applications interact with the API securely.