Skip to main content
Documentation & User Guides | FotoWare

Enabling Cross Origin Request Sending (CORS) in FotoWare


How to enable CORS to allow an application to make requests to the FotoWare API.

When is CORS needed?

A single-page web application (SPA) can make requests to the FotoWeb API directly from JavaScript using "AJAX" (or XHR) requests.

This requires that cross-origin request sending (CORS) is enabled (unless the application and the FotoWeb site are hosted on the same domain, which is usually not the case).

Enabling CORS in FotoWare on-premises

This only works if FotoWeb is hosted on IIS. If you are hosting FotoWeb on Apache, please consider switching to IIS, 
as Apache support is deprecated.
  1.  Install Microsoft's IIS CORS module from
  2. Find the web.config file of the IIS website on which your FotoWeb site is hosted.

DO NOT modify the web.config file in the Documents folder of the FotoWeb site! Your changes will be overwritten with every update. Instead, the web.config file of the website is free for you to customize. You can find its location by right-clicking on the website in IIS Manager and selecting "Explore". For example, for "Default Web Site", the location of the configuration file is typically C:\inetpub\wwwroot\web.config. If you create additional web sites, then each will have its own configuration file in a separate location that you choose, and you can and need to configure CORS separately for each site.

  1.  Add the following XML block under the <system.webServer> XML tag:
<cors enabled="true">
 <add origin="" maxAge="120">
     <add method="*"/>
     <add header="*"/>

 This enables CORS from the given domain (in this case,

For more detailed configuration options, please see the official documentation of the IIS CORS module (external link). Please note that not all possible configurations will work with the FotoWeb API and only configurations documented here have been tested. If you think your configuration should work, but doesn't, and it is required (e.g., due to a security policy dictated by your IT team), please submit a support request to FotoWare.

Important notes:

  • It is NOT RECOMMENDED to allow the wildcard origin *, as this may open for CSRF attacks from malicious sites. You should only explicitly enable sites that you trust.
  • While you may limit the allowed methods, this may block some FotoWare API requests. The API currently uses a number of custom methods, such as PUBLISH in addition to the standard methods GETPOSTPUTPATCHDELETE.
  • While you may limit the allowed headers, please note that a number of headers are required for making FotoWare API requests, such as AcceptContent-TypeAuthorization, etc. Please see the documentation of the request endpoint you use for details.
  • API requests generally do not need cookies, so you should not set allowCredentials to true. An exception is the deprecated ArchiveAgent API, which requires the use of cookies.
  • Was this article helpful?