Introducing IIS CORS 1.0

The IIS Team is pleased to announced the release of version 1.0 of IIS CORS Module which enables support for the Cross-Origin Resource Sharing (CORS) protocol.

CORS is a mechanism to let a user-agent to access resources from a domain outside of the domain from which the first resource was served. CORS defines a way by using additional HTTP headers to allow to request permissions to access a selected resource. In addition, some requests may even a trigger a preflight request probing supported HTTP methods from the server with an HTTP OPTIONS request. The IIS CORS module helps with setting appropriate response headers and responding to preflight requests.

Once installed, the IIS CORS module is configured via a site or application web.config and has it’s own cors configuration section within system.webserver. Have a look the configuration reference for more information.

The IIS CORS module is now available for download (x86/x64/WebPI).

We’d love to hear your feedback on using the new module. Give it a spin and let us know what you think!


  • Is this only for IIS 10?

  • @Sam,

    The CORS module can be used on IIS 7.5 (Windows Server 2008 R2) and above.

  • i like your blog
    thanks so much
    <a href="" rel="nofollow">may lanh tu dung heavy</a>

  • The IIS CORS module is installed and is first in the module queue.

    I added the following to the web.config

    <cors enabled="true" failUnlistedOrigins="true">
    <add origin="" allowed="true" />

    ( is just a placeholder for an actual URL that I have replaced in this comment)

    I run the following curl command:

    curl -i -H "Origin:"

    In the response headers, I see this:


    My understanding is that the CORS module should be blocking the request and not returning the 302. Additionally, IIS should definitely not be adding the bogus domain specific as the Origin into the Access-Control-Allow-Origin header.

    What am I missing here? Something critical in the configuration of the CORS module? No matter what I add in the config file, it doesn't seem to be blocking any requests.

  • Hello @Rick,

    What you sent looks like a web.config. Do you happen to have a CORS rule in the applicationHost.config that is allowing this domain such as

    <add origin="*" allowed="true" />


Add a Comment

As it will appear on the website

Not displayed

Your website