CORS; How To Set HTTP Response Header on IIS Windows Server 2012 R2 to Access-Control-Allow-Origin

When attempting to make an AJAX call are you getting the following error?

XMLHttpRequest cannot load (then some path to the remote site). No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘’ is therefore not allowed access.

This means the Server hosting the resource is not set up to be CORS compliant.

If you are able to administer the server and if that server happens to be an IIS Windows Server 2012 R2, then this post is for you.

Cross-origin resource sharing (CORS) solves the issue that prevents sharing web services or resources between sites on different servers. Here is a link if you want to read more Cross-origin_resource_sharing. CORS sets up a mean by which a browser and server can safely determine whether or not to allow cross-origin requests. This permits more functionality and greater freedom than requests restricted to same-origin. At the same time, it is secure – not simply allowing every cross-origin request. In fact this is a recommended standard of the W3C.

To get our IIS Windows Server site to be CORS compliant (see How CORS works), we will need to add a CORS compliant HTTP Response header.

How To Add a CORS compliant HTTP Response Header to IIS Windows Server 2012 R2

In our case we will add the ‘Access-Control-Allow-Origin’ HTTP Response header.

  1. On the Windows server select the Internet Information Services (IIS) Manager application from the icons in the bottom bar or click the Windows icon and select “Server Manager”
  2. Navigate to the website you need to edit the response headers for.
  3. From the list or Icons related to the site you are editing, select “HTTP Response Headers”.
  4. After it opens look for “HTTP Response Headers”. It will say say, “Use this feature to configure HTTP headers that are added to the responses from the Web server.”
  5. Click “Add”
    A dialog box will open. For name enter “Access-Control-Allow-Origin” and for Value enter an asterisk. Or,  if want to restrict the interactions to queries from a particular site, then enter that domain.
  6. Then click the OK button.

That’s it! You’re done.

3 thoughts on “CORS; How To Set HTTP Response Header on IIS Windows Server 2012 R2 to Access-Control-Allow-Origin

  1. Please clarify: “Server hosting the resource”
    Does this refer to the the remote API source server OR the website calling the remote API source server?

    Which server needs the Access-Control-Allow-Origin Header? The server hosting the web service, or the website that is trying to ajax to the web service?


    1. Yes, “Server hosting the resource” is the remote API source server. This is also the server that needs the Access-Control-Allow-Origin Header. Hope that helps.

Leave a Reply

Your email address will not be published. Required fields are marked *