Site icon Ryadel

NGINX - Access-Control-Allow-Origin - CORS policy settings

Ryan
How to cache your website using NGINX and FastCGI in CentOS 7 with PHP FastCGI Process Manager PHP-FPM

Those who often read this blog already know that we're deeply in love with NGINX, a lightweight, high-performance and open-source web server and reverse proxy used by more than 358 million websites and over 66% of the world’s top 10,000 websites. And no, we're not taking money from them to say this, we just happen to like it a lot.

Anyway, in this post I'll briefly share the CORS configuration I'm using for the web sites that need to perform Cross Request Resource Sharing activities of any kind - such as using web-fonts from a subdomain on a main domain, or something like that:

WARNING: i used * for the sake of simplicity, but you can - and should - always limit those rules to a more restrictive domain/subdomain list, unless you really want to enforce a wide-open CORS policy (and you're fully aware of the implications).

Since it's a pretty long piece of code, you might want to put this on a separate file (such as /etc/nginx/cors-settings.conf ) and then include it with the following one-liner:

Pretty neat, isn't it?

If you're looking for further info about how to set & configure other NGINX security headers, such as X-Frame-Options, HTTP Strict Transport Security (HSTS), X-XSS-Protection, X-Content-Type-Options, Content Security Policy and Referrer Policy, be sure to check our NGINX HTTP Security Headers guide.

This post is part of a series of articles, tutorials and guides on the NGINX web server & reverse proxy. To read the other posts, click here!
Print Friendly & PDF Download
Exit mobile version