Adding AllowAnyHeader does not allow all headers in .NET Core 3.1-CodePudding

In my .NET Core 3.1 Startup program, I have something like this:

public void ConfigureServices(IServiceCollection services)
{
    services.AddCors(options =>
    {
        options.AddDefaultPolicy(
            builder =>
            {
                builder.AllowAnyHeader();
                builder.AllowAnyMethod();
                builder.AllowAnyOrigin();
            });
    });
}

I was expecting that AllowAnyHeader would add "Access-Control-Allow-Methods": "GET,POST,PUT,DELETE,OPTIONS"; to the response header, but when I call a DELETE in a method configured with [HttpDelete] in the Controller, I see the following in the response header:

access-control-allow-methods → GET (no DELETE or OPTIONS)

So, what should I do to see all methods allowed in the response header?

CodePudding user response：

I Use this method option to use all Http methods. I think that its helpful

public void ConfigureServices(IServiceCollection services)
    {
        services.AddCors(options =>
        {
            options.AddDefaultPolicy(
                builder =>
                {
                    builder.AllowAnyHeader()
                        .WithMethods("GET", "POST", "DELETE", "PUT", "OPTIONS");
                });
        });
    }

CodePudding user response：

You can use this instead in Configure

app.UseCors(x => x
            .AllowAnyMethod()
            .AllowAnyHeader()
            .AllowCredentials());

or you should use

services.AddCors(options =>
{
options.AddDefaultPolicy(
    builder =>
    {
        builder.AllowAnyOrigin()
               .AllowAnyHeader()
               .AllowAnyMethod();
    });
});

then use it in Configure

app.UseCors();