NGINX - Access-Control-Allow-Origin - CORS policy settings How to properly set the Access-Control-Allow-Origin header to NGINX to allow Cross Request Resource Sharing for all (or specific) sites

How to cache your website using NGINX and FastCGI in CentOS 7 with PHP FastCGI Process Manager PHP-FPM

Those who often read this blog already know that we're deeply in love with NGINX, a lightweight, high-performance and open-source web server and reverse proxy used by more than 358 million websites and over 66% of the world’s top 10,000 websites. And no, we're not taking money from them to say this, we just happen to like it a lot.

Anyway, in this post I'll briefly share the CORS configuration I'm using for the web sites that need to perform Cross Request Resource Sharing activities of any kind - such as using web-fonts from a subdomain on a main domain, or something like that:

WARNING: i used * for the sake of simplicity, but you can - and should - always limit those rules to a more restrictive domain/subdomain list, unless you really want to enforce a wide-open CORS policy (and you're fully aware of the implications).

Since it's a pretty long piece of code, you might want to put this on a separate file (such as /etc/nginx/cors-settings.conf ) and then include it with the following one-liner:

Pretty neat, isn't it?

If you're looking for further info about how to set & configure other NGINX security headers, such as X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, Content Security Policy and Referrer Policy, be sure to check our NGINX HTTP Security Headers guide.

This post is part of a series of articles, tutorials and guides on the NGINX web server & reverse proxy. To read the other posts, click here!

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

One Comment on “NGINX - Access-Control-Allow-Origin - CORS policy settings How to properly set the Access-Control-Allow-Origin header to NGINX to allow Cross Request Resource Sharing for all (or specific) sites

  1. Job for nginx.service failed because the control process exited with error code.
    See “systemctl status nginx.service” and “journalctl -xe” for details.

Leave a Reply

Your email address will not be published. Required fields are marked *


The reCAPTCHA verification period has expired. Please reload the page.

This site uses Akismet to reduce spam. Learn how your comment data is processed.