NGINX – Access-Control-Allow-Origin – CORS policy settings How to properly set the Access-Control-Allow-Origin header to NGINX to allow Cross Request Resource Sharing for all (or specific) sites

How to cache your website using NGINX and FastCGI in CentOS 7 with PHP FastCGI Process Manager PHP-FPM

Those who often read this blog already know that we’re deeply in love with NGINX, a lightweight, high-performance and open-source web server and reverse proxy used by more than 358 million websites and over 66% of the world’s top 10,000 websites. And no, we’re not taking money from them to say this, we just happen to like it a lot.

Anyway, in this post I’ll briefly share the CORS configuration I’m using for the web sites that need to perform Cross Request Resource Sharing activities of any kind – such as using web-fonts from a subdomain on a main domain, or something like that:

WARNING: i used * for the sake of simplicity, but you can – and should – always limit those rules to a more restrictive domain/subdomain list, unless you really want to enforce a wide-open CORS policy (and you’re fully aware of the implications).

Since it’s a pretty long piece of code, you might want to put this on a separate file (such as /etc/nginx/cors-settings.conf ) and then include it with the following one-liner:

Pretty neat, isn’t it?

If you’re looking for further info about how to set & configure other NGINX security headers, such as X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, Content Security Policy and Referrer Policy, be sure to check our NGINX HTTP Security Headers guide.

This post is part of a series of articles, tutorials and guides on the NGINX web server & reverse proxy. To read the other posts, click here!

About Ryan

IT Project Manager, Web Interface Architect and Lead Developer for many high-traffic web sites & services hosted in Italy and Europe. Since 2010 it's also a lead designer for many App and games for Android, iOS and Windows Phone mobile devices for a number of italian companies. Microsoft MVP for Development Technologies since 2018.

View all posts by Ryan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.