Enabling CORS in .Net Core Web API

 

Cross-Origin Resource Sharing (CORS)

Browser security prevents a web page from making requests to a different domain than the one that served the web page. This restriction is called the same-origin policy. The same-origin policy prevents a malicious site from reading sensitive data from another site.

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources

Cross Origin Resource Sharing (CORS):

  • Is a W3C standard that allows a server to relax the same-origin policy.
  • Is not a security feature, CORS relaxes security. An API is not safer by allowing CORS. For more information, see How CORS works.
  • Allows a server to explicitly allow some cross-origin requests while rejecting others.
  • Is safer and more flexible than earlier techniques, such as JSONP.
In this example - we have an API endpoint that gives the list of Employee Data


If we try to consume the same API from an Ajax call (Refer privacy page for this implementation - http://localhost:5176/Home/Privacy), we get the below error.


Here the web application is running on the host http://localhost:5176/ which is trying to call an API from http://localhost:5157/ (not from same domain) and that's why it is not working.

To make it working, we need to Enable CORS at the API layer (it means we are relaxing the rules at API layer to allow access from a defined source)

There are 2 changes required in the Web API layer to achieve this.

builder.Services.AddCors(options =>
{
    options.AddDefaultPolicy(builder =>
    {
        builder.WithOrigins("http://localhost:5176")  //we should never allow * here because that is a big security risk
        .WithHeaders("content-type");
    });
});

and

app.UseCors();

If we try to access the API using JQuery from the web application - it should work fine.
  • An important point to observe here is that with origins takes an array of source, so we can provide multiple URLs here and the API will work from all requests coming from any of these sources.
  • We can also use WithHeaders (to provide the header name) and WithMethods (to specify Http method names) to control what is allowed or not
Instead of using the default policy of CORS - we can also create custom polices and use that

options.AddPolicy("SpecificOrigin", builder =>
                {
                    builder.WithOrigins("http://localhost:2020")
                        .WithHeaders("Authorization");
                });

In this case - we should use app.UseCors("SpecificOrigin"); instead of app.UseCors();

We can also use [EnableCors] or [EnableCors(PolicyName ="SpecificOrigin")] at the controller or action level for more control. Writing this at control or action level will override the default behavior.

We can also use [DisableCors] - at controller or action level which will ensure that these methods are not accessible from cross origin.


Preflight requests

For some CORS requests, the browser sends an additional OPTIONS request before making the actual request. This request is called a preflight request. The browser can skip the preflight request if all the following conditions are true:

  • The request method is GET, HEAD, or POST.
  • The app doesn't set request headers other than AcceptAccept-LanguageContent-LanguageContent-Type, or Last-Event-ID.
  • The Content-Type header, if set, has one of the following values:
    • application/x-www-form-urlencoded
    • multipart/form-data
    • text/plain
Browser makes a request of OPTIONS type to check the value of Access-Control-Allow-Origin (This call happens automatically before the actual API call ). If it gets a 204 response with the correct value in Access-Control-Allow-Origin - then only it makes the actual API call.

Reference Link:

GitHub URL


Comments

Post a Comment

Popular posts from this blog

Publish .Net Core Web API to Linux Host

Image
Publish .Net Core Web API to Linux Host In this post below, I am going to detail out the step of publishing a .NET Core Web API to Linux Host SSH the Linux host Open any SSH client like gitbash Go to the location where the .pem file exists ssh -i <pemfilename> -v <username>@<host_IP_Address> use sudo su for super admin access to run further command Create project folder Go to /var/www folder (cd /var/www) create a new folder for the project. For example SampleWebAPI (mkdir SampleWebAPI ) Publish project in release mode Open command prompt as administrator Go to Project folder - cd <foldername> dotnet publish  --configuration release Copy latest publish code to project folder Open file transfer tool like FileZilla Connect to linux host with right credentials Copy the file from local published folder to  /var/www/SampleWebAPI  Change the Nginx configuration file Go to cd /etc/nginx/sites-available/ Edit default config file: vim default...
Read more

Entity Relationship Using EF Core Code First Approach

 In this section, we are going to talk about the different kind of relationship between entities and how to establish that using C# code. Followings are the type of relationship One to Many An employee can have more than 1 education details. To Achieve this, we need to have a property in employee class like the below one. public ICollection<EmployeeEducation> EducationList { get; set; } Once we do this and add the migration, it will add a new column EmployeeID in EmployeeEducations table, but as a nullable attribute. In this case, if we try to add data in EmployeeEducations table, it will set EmployeeID as null To fix this, we need to add a cross reference in the EmployeeEducation Class, to denote that Every education record must have an employee ID. This will ensure that allow null attribute of EmployeeID column in EmployeeEducations  table is set to false. public Employee Employee { get; set; } If we try to insert values in EmployeeEducations table with below code...
Read more

Web API Using EF Core

Image
What is Web API  As the name suggests, is an API over the web which can be accessed using HTTP protocol. We can build Web API using different technologies such as Java, .NET etc.  Web API breaks the limitation of language. For example a web API written in .Net can be utilized by Java and vice verssa, because the request/response format of Web API is JSON which is understood by all language. For example, Twitter's  REST APIs  provide programmatic access to read and write data using which we can integrate twitter's capabilities into our own application. We can use tools like Fiddler, PostMan and Swagger for testing Web API .Net Core Web API -   Is an Ideal platform for building RESTful services. Is built on top of ASP.NET and supports ASP.NET request/response pipeline Maps HTTP verbs to method names. Supports different formats of response data. Built-in support for JSON, XML, BSON format. C...
Read more