CORS support for PUT and DELETE with ASP.NET Web API

Question

I am working with the final version of ASP.NET Web API to implement a JavaScript-friendly API. Per various tutorials, I have enabled CORS in my web.config:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
  </customHeaders>
 </httpProtocol>
</system.webServer>

With the above, cross-domain GET and POST requests work fine, but PUT and DELETE requests both fail.

In Chrome:

Method PUT is not allowed by Access-Control-Allow-Methods.

Method DELETE is not allowed by Access-Control-Allow-Methods.

Is there something additional required to get PUT and DELETE verbs working cross-domain?

Do you have a global CORS handler aswell? Or did you fix the CORS in the web.config only? — Are Almaas, Apr 26 '13 at 09:04

score 50 · Accepted Answer · answered Sep 20 '12 at 22:11

50

It looks like adding another custom header sorted it out:

<system.webServer>
 <httpProtocol>
  <customHeaders>
    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Headers" value="Content-Type" />
    <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
  </customHeaders>
 </httpProtocol>
</system.webServer>

answered Sep 20 '12 at 22:11

Nathan Taylor

23,720
17
90
152

2

This doesn't work for me. Only works for GET and POST. – Alex Jin Mar 15 '16 at 19:12

whyleee · Answer 2 · 2012-12-27T16:31:42.320

28

Also, in addition to Nathan answer, make sure you disabled WebDAV IIS module and set runAllManagedModulesForAllRequests="true" setting in the web.config:

<system.webServer>
  <modules runAllManagedModulesForAllRequests="true">
    <remove name="WebDAVModule"/>
  </modules>
  <handlers>
    <remove name="WebDAV" />
  </handlers>
</system.webServer>

Without this, preflight CORS requests (which are used for PUT, DELETE methods and send additional OPTIONS request) will not work.

edited Dec 27 '12 at 16:31

answered Dec 21 '12 at 00:06

whyleee

3,839
1
28
32

Ah thanks! My CORS handler wasn't working without those lines of code in web.config. – Are Almaas Apr 26 '13 at 10:39
3

What is the `WebDAV` handler doing, and why does it need to be removed? – Jim Aho Apr 15 '15 at 06:35
1

@JimAho: nice explaination is here: http://www.asp.net/web-api/overview/testing-and-debugging/troubleshooting-http-405-errors-after-publishing-web-api-applications – Cuong Nguyen Feb 19 '16 at 08:45
OMG!!! I have expend almost 7 days for this!! and luckily i got it. Similar problem was for me. problem was for only PUT + DELETE . Finally Solved, thanks. – gdmanandamohon Jan 19 '18 at 13:44

score 9 · Answer 3 · edited Feb 18 '16 at 22:30

9

Very simple solution to overcome CORS Issue in WEBAPI2.2.

Add the following in you WebApi Config File.

var cors = new EnableCorsAttribute("*", "*", "*");
Config.EnableCors(cors);

Before adding this make sure you remove the custom header in the Web.config file.

    <add name="Access-Control-Allow-Origin" value="*" />
    <add name="Access-Control-Allow-Credentials" value="true" />
    <add name="Access-Control-Allow-Headers" value="Origin, X-Requested-With, Content-Type, Accept, X-Token" />
    <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />

If you have both customheader as well the CORS enabled in WebApiconfig, you will face the cors error.

Add the cors enabled in WebApi config will solve the issue.

edited Feb 18 '16 at 22:30

Felipe Oriani

35,246
17
121
176

answered May 22 '15 at 08:11

Praveen Thangaraja

111
1
1

2

This is a good current solution and a good explanation. As you mentioned make sure both configurations don't exist (WebApiConfig.cs _and_ Web.config) or the CORS configuration will have a conflict and result in a `The 'Access-Control-Allow-Origin' header contains multiple values 'http://localhost:1234, *', but only one is allowed.` error. – atconway Jul 29 '15 at 02:33
4

In addition, one needs the following NuGet package to use the `EnableCorsAttribute` class: https://www.nuget.org/packages/Microsoft.AspNet.WebApi.Cors – atconway Jul 29 '15 at 02:33

score 0 · Answer 4 · answered Apr 15 '16 at 08:48

Please use this in web.config while you deployed your application,dont use in local web.config

    <system.webServer>
  <httpProtocol>
      <customHeaders>
        <add name="Access-Control-Allow-Origin" value="*" />
        <add name="Access-Control-Allow-Headers" value="Content-Type" />
        <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" />
      </customHeaders>
    </httpProtocol>
 <ModSecurity enabled="false" configFile="C:\inetpub\wwwroot\owasp_crs\modsecurity.conf" />
    <validation validateIntegratedModeConfiguration="false" />
    <handlers>
      <remove name="ExtensionlessUrlHandler-Integrated-4.0" />
      <remove name="OPTIONSVerbHandler" />
      <remove name="TRACEVerbHandler" />
      <add name="ExtensionlessUrlHandler-Integrated-4.0" path="*." verb="*" type="System.Web.Handlers.TransferRequestHandler" preCondition="integratedMode,runtimeVersionv4.0" />
    </handlers>

  </system.webServer>

score 0 · Answer 5 · answered Feb 19 '19 at 13:28

0

Try to comment the line: <remove name="OPTIONSVerbHandler" /> in <handlers> tag

answered Feb 19 '19 at 13:28

Ibere Spadoto

172
12

CORS support for PUT and DELETE with ASP.NET Web API

5 Answers5

Linked