Enabling Cross Origin Request Sending (CORS) in FotoWare
Overview
When is CORS needed?
A single-page web application (SPA) can make requests to the FotoWeb API directly from JavaScript using "AJAX" (or XHR) requests.
This requires that cross-origin request sending (CORS) is enabled (unless the application and the FotoWeb site are hosted on the same domain, which is usually not the case).
Enabling CORS in FotoWare on-premises
This only works if FotoWeb is hosted on IIS. If you are hosting FotoWeb on Apache, please consider switching to IIS, as Apache support is deprecated.
- Install Microsoft's IIS CORS module from https://www.iis.net/downloads/microsoft/iis-cors-module
-
Find the
web.config
file of the IIS website on which your FotoWeb site is hosted.
DO NOT modify the
web.config
file in theDocuments
folder of the FotoWeb site! Your changes will be overwritten with every update. Instead, theweb.config
file of the website is free for you to customize. You can find its location by right-clicking on the website in IIS Manager and selecting "Explore". For example, for "Default Web Site", the location of the configuration file is typicallyC:\inetpub\wwwroot\web.config
. If you create additional web sites, then each will have its own configuration file in a separate location that you choose, and you can and need to configure CORS separately for each site.
- Add the following XML block under the
<system.webServer>
XML tag:
<cors enabled="true"> <add origin="https://your-application.net" maxAge="120"> <allowMethods> <add method="*"/> </allowMethods> <allowHeaders> <add header="*"/> </allowHeaders> </add> </cors>
This enables CORS from the given domain (in this case, https://your-application.net)
For more detailed configuration options, please see the official documentation of the IIS CORS module (external link). Please note that not all possible configurations will work with the FotoWeb API and only configurations documented here have been tested. If you think your configuration should work, but doesn't, and it is required (e.g., due to a security policy dictated by your IT team), please submit a support request to FotoWare.
Important notes:
- It is NOT RECOMMENDED to allow the wildcard origin
*
, as this may open for CSRF attacks from malicious sites. You should only explicitly enable sites that you trust. - While you may limit the allowed methods, this may block some FotoWare API requests. The API currently uses a number of custom methods, such as
PUBLISH
in addition to the standard methodsGET
,POST
,PUT
,PATCH
,DELETE
. - While you may limit the allowed headers, please note that a number of headers are required for making FotoWare API requests, such as
Accept
,Content-Type
,Authorization
, etc. Please see the documentation of the request endpoint you use for details. - API requests generally do not need cookies, so you should not set
allowCredentials
totrue
. An exception is the deprecated ArchiveAgent API, which requires the use of cookies.