Skip to main content
Documentation & User Guides | Fotoware

Enabling Cross-Origin Resource Sharing (CORS) in Fotoware


How to enable CORS to allow an application to make requests to the FotoWare API.

When is CORS needed?

A single-page web application (SPA) can make requests to the FotoWeb API directly from JavaScript using "AJAX" (or XHR) requests.

This requires that cross-origin resource sharing (CORS) is enabled (unless the application and the FotoWeb site are hosted on the same domain, which is usually not the case).

For information on enabling CORS in Fotoware SaaS, see Enabling CORS.

Enabling CORS in Fotoware On-Premises

  1.  Install Microsoft's IIS CORS module from
  2. Find the web.config file of the IIS website on which your FotoWeb site is hosted.

DO NOT modify the web.config file in the Documents folder of the FotoWeb site! Your changes will be overwritten with every update. Instead, the web.config file of the website is free for you to customize. You can find its location by right-clicking on the website in IIS Manager and selecting Explore. For example, for Default Web Site, the location of the configuration file is typically C:\inetpub\wwwroot\web.config. If you create additional web sites, then each will have its own configuration file in a separate location that you choose, and you can and need to configure CORS separately for each site.

  1.  Add the following XML block under the <system.webServer> XML tag:
<cors enabled="true">
 <add origin="" maxAge="120">
     <add method="*"/>
     <add header="*"/>

 This enables CORS from the given domain (in this case,

For more detailed configuration options, see the IIS CORS module official documentation (external link). Not all configurations will work with the FotoWeb API; only configurations documented here have been tested. If you think your configuration should work but doesn't, and it is required (due to a security policy required by your IT team, for example), contact Fotoware for support.


  • It is NOT RECOMMENDED to allow the wildcard origin *, as this may open up the possibility of CSRF attacks from malicious sites. You should only explicitly enable sites that you trust.
  • While you may limit the allowed methods, this may block some Fotoware API requests. The API currently uses some custom methods, such as PUBLISH in addition to the standard methods GETPOSTPUTPATCHDELETE.
  • While you may limit the allowed headers, note that several headers are required for making Fotoware API requests, such as AcceptContent-TypeAuthorization, etc. For more information, see the documentation of the request endpoint you use.
  • API requests generally do not need cookies, so you should not set allowCredentials to true. An exception is the deprecated ArchiveAgent API, which requires cookies.
  • Was this article helpful?