David Ruttka

I make computers do things

Exposing Additional Headers in CORS Responses Using the EnableCorsAttribute

| Comments

File under “Learn something new every day.”

Long story short, we have enabled CORS in our API, but today I learned that not all headers are included.

Particularly, like Aaron, we needed to ensure that the Location header came back when a POST request created a new resource. Our solution is a bit different than his. We’re already using the EnableCorsAttribute, so Rob pointed out that we can just do this:

1
EnableCorsAttribute("*", "*", "*", "location");

Like the other constructor arguments, that last can be a comma separated list. Looks legit!

Comments