Access-Control-Allow-Origin on F5

Question

Please guide me as to how Access-Control-Allow-Origin header is inserted on F5&nbsp;

kevin_stewart · Answer

Had to do a little research on CORS:
http://en.wikipedia.org/wiki/Cross-origin_resource_sharing
And based on the above, this is perhaps a start:
when HTTP_REQUEST {
    if { [HTTP::header exists Origin] } {
        set origin_host [HTTP::header Origin]
    }
}
when HTTP_RESPONSE {
    if { [info exists origin_host] } {
        if { $origin_host equals "http://www.example.com" } {
            HTTP::header insert Access-Control-Allow-Origin $origin_host
        }
    }
}

iheartf5_45022 · Answer

Another way to approach is this (we actually have this running in prod - we have some clients for which CORS support in the server is mandatory,  so we fake it);
when HTTP_REQUEST {

if {[HTTP::method] eq "OPTIONS"} {

HTTP::respond 200 Access-Control-Allow-Origin "[HTTP::header Origin]" \
                    Access-Control-Allow-Methods "POST, GET" \
                    Access-Control-Allow-Headers "soapaction" \
                    Access-Control-Allow-Credentials "true"
       return
  } 
}

Forum Discussion

Access-Control-Allow-Origin on F5

2 Replies

AppWorld 2026: Save the Date and Join Our Community In Person!

Introducing the F5 AI Assistant for BIG-IP

Recent Discussions

Expired client-certificate

F5 Big-IP Trust Internal CA Chain certificates for Web Servers

XC - geo LB to the origin servers

Floating Ip Problem

F5 rSeries || Upgrade tenant

Related Content

F5 HTTPS Redirect 2025

Extend Cross-Domain Request Security using Access-Control-Allow-Origin with Network-Side Scripting

Introducing the F5 Application Study Tool (AST)

Modernizing F5 Platforms with Ansible

Automating Certificate Management on F5 BIG-IP

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS