Applications / Linux / Servers & Services / Software / Web

NGINX - Access-Control-Allow-Origin - CORS policy settings How to properly set the Access-Control-Allow-Origin header to NGINX to allow Cross Request Resource Sharing for all (or specific) sites

- by Ryan - 1 Comment 23.0K
How to cache your website using NGINX and FastCGI in CentOS 7 with PHP FastCGI Process Manager PHP-FPM

Those who often read this blog already know that we're deeply in love with NGINX, a lightweight, high-performance and open-source web server and reverse proxy used by more than 358 million websites and over 66% of the world’s top 10,000 websites. And no, we're not taking money from them to say this, we just happen to like it a lot.

Anyway, in this post I'll briefly share the CORS configuration I'm using for the web sites that need to perform Cross Request Resource Sharing activities of any kind - such as using web-fonts from a subdomain on a main domain, or something like that:

WARNING: i used * for the sake of simplicity, but you can - and should - always limit those rules to a more restrictive domain/subdomain list, unless you really want to enforce a wide-open CORS policy (and you're fully aware of the implications).

Since it's a pretty long piece of code, you might want to put this on a separate file (such as /etc/nginx/cors-settings.conf ) and then include it with the following one-liner:

Pretty neat, isn't it?

If you're looking for further info about how to set & configure other NGINX security headers, such as X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, Content Security Policy and Referrer Policy, be sure to check our NGINX HTTP Security Headers guide.

This post is part of a series of articles, tutorials and guides on the NGINX web server & reverse proxy. To read the other posts, click here!
Print Friendly, PDF & EmailPrint Friendly & PDF Download

Related Posts

Il ruolo del Web Server

The role of the Web Server General overview of the tool that handles the HTTP requests and provides responses: what it is, what it does, what it is for

Corso di Formazione - Web Administrator

Web Administrator Training Course A learning path to acquire the necessary skills to configure, manage and administer a web server on Windows, Linux, and in the Cloud

How to cache your website using NGINX and FastCGI in CentOS 7 with PHP FastCGI Process Manager PHP-FPM

Configure HTTP Basic Authentication on NGINX How to implement HTTP Basic Authentication in a NGINX web server to restrict access for your website users with a simple username/password challenge

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

One Comment on “NGINX - Access-Control-Allow-Origin - CORS policy settings How to properly set the Access-Control-Allow-Origin header to NGINX to allow Cross Request Resource Sharing for all (or specific) sites

  1. Job for nginx.service failed because the control process exited with error code.
    See “systemctl status nginx.service” and “journalctl -xe” for details.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.