Security – Returning “200 OK” in Apache on HTTP OPTIONS requests

apache-2.2httpmod-rewriteSecurity

I'm attempting to implement cross-domain HTTP access control without touching any code.

I've got my Apache(2) server returning the correct Access Control headers with this block:

Header set Access-Control-Allow-Origin "*"                   
Header set Access-Control-Allow-Methods "POST, GET, OPTIONS"

I now need to prevent Apache from executing my code when the browser sends a HTTP OPTIONS request (it's stored in the REQUEST_METHOD environment variable), returning 200 OK.

How can I configure Apache to respond "200 OK" when the request method is OPTIONS?

I've tried this mod_rewrite block, but the Access Control headers are lost.

RewriteEngine On                  
RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ $1 [R=200,L]

Best Answer

You're adding a header to a non-success (non-2xx) response, such as a redirect, in which case only the table corresponding to always is used in the ultimate response.

Correct "Header set":

Header always set Access-Control-Allow-Origin "*"                   
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"
Related Topic