Enabling CORS (Cross-Origin Resource Sharing) is crucial for secure data and resource sharing between web applications and APIs hosted on different domains and ports.

According to W3Techs 2021 usage statistics, over 37% of all websites run on Apache and over 35% run on Nginx. Configuring CORS properly on these widely used platforms is essential for application security.

This in-depth 3000+ word guide will break down the most important CORS security headers and provide expert instructions for enabling them in both Apache and Nginx.

Overview of Key CORS Headers

There are six key CORS-related headers that control cross-origin resource handling. We will be covering configuration best practices for each one in Apache and Nginx:

  • Access-Control-Allow-Origin: Specifies allowed origins to access cross-origin resources from the target domain
  • Access-Control-Allow-Methods: Configures permitted HTTP request methods for CORS requests
  • Access-Control-Allow-Headers: Handles allowed HTTP headers in CORS requests beyond the native safelist
  • Access-Control-Expose-Headers: Exposes certain response headers to clients that are not included in the CORS safelist
  • Access-Control-Max-Age: Sets length of time preflight CORS requests can be cached (to improve performance)
  • Access-Control-Allow-Credentials: Allows browsers to expose special CORS-restricted resources like authorization credentials and cookies

Properly configuring these headers allows safe sharing of resources like web fonts, JavaScript files, and APIs across different domains and web applications.

Let‘s explore the specifics of enabling these critical CORS headers in Apache and Nginx.

We will now break down each CORS security header in depth, including detailed configuration guidance for both Apache and Nginx.

Examples are provided for applying the appropriate header directives based on common API and web application scenarios.


The Access-Control-Allow-Origin header specifies the external domains or origins that are allowed to access cross-origin resources on your server…


This header configures the HTTP request methods supported for cross-origin resource requests to your domain. This allows enabling RESTful API access from external sites.

Common methods are:

  • GET
  • POST
  • PUT

To enable these in Apache…

To enable these in Nginx…


This header handles allowed HTTP headers in CORS requests beyond the native safelist.

The safelisted headers automatically supported are:

  • Accept
  • Accept-Language
  • Content-Language

To allow additional headers like API keys or authentication tokens, you can configure:


Header set Access-Control-Allow-Headers "X-Custom1, X-Custom2"


add_header Access-Control-Allow-Headers "X-Custom1, X-Custom2";  


This header exposes certain response headers from your APIs and web apps to clients that are not included in the native CORS safelist.

For example, to expose a custom X-Rate-Limit-Limit header to all origins:


Header set Access-Control-Expose-Headers "X-Rate-Limit-Limit"


add_header Access-Control-Expose-Headers "X-Rate-Limit-Limit";


This header specifies the length of time preflight CORS requests can be cached.

This is important for improving performance. For example to set cache time to 1 hour:


Header set Access-Control-Max-Age "3600" 


add_header Access-Control-Max-Age "3600";


This header allows browsers to expose special CORS-restricted resources like authorization cookies and TLS client certificates to the target domain.

For example, to allow credentialed requests from


Header set Access-Control-Allow-Credentials "true"
Header set Access-Control-Allow-Origin ""


add_header Access-Control-Allow-Credentials "true";
add_header Access-Control-Allow-Origin "";

This allows properly authenticated requests from the allowed origin while preventing CSRF attacks.

Properly configuring CORS headers is crucial for secure cross-origin resource handling and API access across domains and web apps.

In this comprehensive guide, we explored expert techniques for enabling the core CORS security headers in both Apache and Nginx.

To validate your configuration, inspect the HTTP response headers after making cross-origin requests to your resources. You should see the enabled CORS policies reflected properly.

For additional protection, also consider requiring CSRF tokens with requests to protect authenticated sessions. Combined with sound CORS handling, this provides robust cross-origin security.