File under “Learn something new every day.”

Long story short, we have enabled CORS in our API, but today I learned that not all headers are included.

Particularly, like Aaron, we needed to ensure that the Location header came back when a POST request created a new resource. Our solution is a bit different than his. We’re already using the [EnableCorsAttribute](, so Rob pointed out that we can just do this:

EnableCorsAttribute("*", "*", "*", "location");

Like the other constructor arguments, that last can be a comma separated list. Looks legit!