.htaccess
1sudo a2enmod headers
2sudo service apache2 reload
.htaccess
<IfModule mod_headers.c>
Header set Access-Control-Allow-Origin "*"
Header set Access-Control-Allow-Methods: "POST, GET, OPTIONS, PUT, DELETE"
Header set Access-Control-Allow-Credentials: true
Header set Access-Control-Allow-Headers: X-Requested-With
</IfModule>
You can use add
rather than set
, but be aware that add
can add the header multiple times, so it’s generally safer to use set.
https://www.w3.org/wiki/CORS_Enabled
functions.php
Put this in functions.php
1// Enable CORS for the API
2// https://gist.github.com/miya0001/d6508b9ba52df5aedc78fca186ff6088
3// https://github.com/ahmadawais/WP-REST-Allow-All-CORS/blob/master/plugin.php
4function my_customize_rest_cors() {
5 remove_filter( 'rest_pre_serve_request', 'rest_send_cors_headers' );
6 add_filter( 'rest_pre_serve_request', function( $value ) {
7 header( 'Access-Control-Allow-Origin: *' );
8 header( 'Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE' );
9 header( 'Access-Control-Allow-Credentials: true' );
10 header( 'Access-Control-Expose-Headers: Link', false );
11 header( 'Access-Control-Allow-Headers: X-Requested-With' );
12 return $value;
13 } );
14}
15add_action( 'rest_api_init', 'my_customize_rest_cors', 15 );
.conf
fileAdd the header inside the <Directory>
section in the Apache virtual host files for the domain. (You may have 2 of them, one for SSL and one non-SSL)
# Allow .htaccess and Rewrites
<Directory /var/www/mysite.com/public_html>
Options FollowSymLinks
AllowOverride All
# Enable CORS
Header set Access-Control-Allow-Origin "https://www.mysite.com"
</Directory>
The side benefit of editing the .conf
file and not .htaccess
is that i can be sure that i don’t have to worry about the order of my redirects and what section goes before what
In the end none of these worked for my user case because i was also setting up redirection for the domain. When you redirect a domain, the origin gets changed to null
which is not an acceptable Origin