Enabling Cross-Origin Resource Sharing on IIS7: Resolving OPTIONS Request 405 Errors

Nov 22, 2025 · Programming · 15 views · 7.8

Keywords: IIS7 | CORS | Cross-Origin Resource Sharing | OPTIONS Request | 405 Error | Handler Mappings

Abstract: This technical paper provides an in-depth analysis of the 405 Method Not Allowed error encountered when configuring CORS on IIS7 servers. Through examination of IIS handling mechanisms, it presents two comprehensive solutions involving Handler Mappings modification and application-level code implementation. The article includes complete configuration examples and comparative analysis to help developers overcome common cross-domain request obstacles.

Fundamentals of Cross-Origin Resource Sharing

Cross-Origin Resource Sharing (CORS) serves as a critical mechanism in modern web development for handling cross-domain requests. When browsers detect cross-origin XMLHttpRequest operations, they initiate OPTIONS preflight requests to verify server permissions. In IIS7 environments, default configurations may lead to improper handling of OPTIONS requests, resulting in 405 status codes.

Problem Diagnosis and Root Cause Analysis

Even with proper CORS configuration, OPTIONS requests may still return 405 errors. This typically occurs because IIS7's OPTIONSVerbHandler processes OPTIONS requests before application code. The default ProtocolSupportModule handling of OPTIONS verbs may fail to properly route requests to the application layer.

Solution One: Modifying IIS Handler Mappings

By adjusting IIS Handler Mappings configuration, OPTIONS requests can be correctly routed to application processing. Implementation steps include:

  1. Open IIS Manager and navigate to the target site's Handler Mappings
  2. Locate the entry named 'OPTIONSVerbHandler'
  3. Change the handler from 'ProtocolSupportModule' to 'IsapiHandler'
  4. Set the executable path to: %windir%\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll

This configuration ensures OPTIONS requests are processed by the ASP.NET runtime, enabling CORS settings from web.config to take effect.

Solution Two: Application-Level Handling

As an alternative approach, OPTIONS requests can be handled directly in the application's Global.asax file:

protected void Application_BeginRequest(object sender, EventArgs e)
{
    HttpContext.Current.Response.AddHeader("Access-Control-Allow-Origin", "*");

    if (HttpContext.Current.Request.HttpMethod == "OPTIONS")
    {
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE");
        HttpContext.Current.Response.AddHeader("Access-Control-Allow-Headers", "Content-Type, Accept");
        HttpContext.Current.Response.AddHeader("Access-Control-Max-Age", "1728000");
        HttpContext.Current.Response.End();
    }
}

This method responds to preflight requests at the code level, completely bypassing IIS's default handling mechanism.

Configuration Examples and Best Practices

A complete web.config configuration should include:

<?xml version="1.0" encoding="utf-8"?>
<configuration>
    <system.webServer>
        <httpProtocol>
            <customHeaders>
                <add name="Access-Control-Allow-Origin" value="*" />
                <add name="Access-Control-Allow-Methods" value="GET,PUT,POST,DELETE,OPTIONS" />
                <add name="Access-Control-Allow-Headers" value="Content-Type" />
            </customHeaders>
        </httpProtocol>
    </system.webServer>
</configuration>

For production deployments, it's recommended to replace the "*" value in Access-Control-Allow-Origin with specific domain names to enhance security.

Solution Comparison and Selection Guidelines

The Handler Mappings modification approach suits server-level unified configuration but may reset during application redeployment. The application-level handling solution offers greater flexibility and independence from IIS configuration but requires implementation in each application. For production environments, combining both approaches within deployment workflows ensures configuration persistence.

Browser Compatibility Considerations

Different browsers exhibit varying levels of CORS support. IE8 and IE9 utilize the XDomainRequest object instead of standard XMLHttpRequest, with limited support for custom headers. Additional compatibility handling may be necessary when supporting legacy browsers.

Security Considerations

CORS implementation requires careful security assessment. While setting Access-Control-Allow-Origin to "*" provides convenience, it potentially exposes APIs to any domain. Production environments should strictly limit allowed origin domains and consider implementing authentication and authorization mechanisms.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.