When is CORS needed?
This requires that cross-origin request sending (CORS) is enabled (unless the application and the FotoWeb site are hosted on the same domain, which is usually not the case).
Enabling CORS in FotoWare on-premises
This only works if FotoWeb is hosted on IIS. If you are hosting FotoWeb on Apache, please consider switching to IIS, as Apache support is deprecated.
- Install Microsoft's IIS CORS module from https://www.iis.net/downloads/microsoft/iis-cors-module
web.configfile of the IIS website on which your FotoWeb site is hosted.
DO NOT modify the
web.configfile in the
Documentsfolder of the FotoWeb site! Your changes will be overwritten with every update. Instead, the
web.configfile of the website is free for you to customize. You can find its location by right-clicking on the website in IIS Manager and selecting "Explore". For example, for "Default Web Site", the location of the configuration file is typically
C:\inetpub\wwwroot\web.config. If you create additional web sites, then each will have its own configuration file in a separate location that you choose, and you can and need to configure CORS separately for each site.
- Add the following XML block under the
<cors enabled="true" failUnlistedOrigins="true"> <add origin="https://your-application.net" maxAge="120"> <allowMethods> <add method="*"/> </allowMethods> <allowHeaders> <add header="*"/> </allowHeaders> </add> </cors>
This enables CORS from the given domain (in this case, https://your-application.net)
For more detailed configuration options, please see the official documentation of the IIS CORS module (external link). Please note that not all possible configurations will work with the FotoWeb API and only configurations documented here have been tested. If you think your configuration should work, but doesn't, and it is required (e.g., due to a security policy dictated by your IT team), please submit a support request to FotoWare.
- It is NOT RECOMMENDED to allow the wildcard origin
*, as this may open for CSRF attacks from malicious sites. You should only explicitly enable sites that you trust.
- While you may limit the allowed methods, this may block some FotoWare API requests. The API currently uses a number of custom methods, such as
PUBLISHin addition to the standard methods
- While you may limit the allowed headers, please note that a number of headers are required for making FotoWare API requests, such as
Authorization, etc. Please see the documentation of the request endpoint you use for details.
- API requests generally do not need cookies, so you should not set