How To Disable Cors Protection On cPanel/WHM Servers
Cors is a resource that allows or disallows resource usage from an external domain name. If you have an application on one domain name but want to use the resources of that application from another domain name like Javascript or Fonts you will likely have to disable Cors protection in cPanel or allow the external domain name through your Cors protection.
Turn Off Cors
Here we show you have to white list any domain name, effectively disabling Cors protection. Whilst this is not a good idea in a production environment it’s great for testing before you go live with your website. Later on in the guide, we will show you have to allow just one domain name through your Cors protection or several domain names.
This guide is written for servers running Apache 2 on CentOS 7 with cPanel VPS installed. Because we don’t want our edits to be overwritten when Apache is updated we are going to use an include file. There are two different files you need to include. One for SSL and one for non-SSL. We assume you are redirecting all of your traffic to https but just in case you are not we are providing both ways. Should you be running OpenLiteSpeed and want to disable CORS protection. See the Disable CORS Protection on OpenLiteSpeed Servers article.
Disable Cors Protection cPanel
Sites using SSL Certificates
Modify the below code to include the cPanel username and the domain name of the site. Replace the correct code below
nano /etc/apache2/conf.d/userdata/ssl/2_4/cPanel_user_name/domain-name.com/yourinclude.conf
> cPanel_user_name : Accounts cPanel Username
>> domain-name.com : The domain name
Inside the new file enter the below code;
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Save and close the file then, issue the below code to rebuild and restart Apache.
/usr/local/cpanel/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd --hard
None SSL Sites
If you are not using an SSL for whatever reason the correct place to place the include file is;
nano /etc/apache2/conf.d/userdata/std/2_4/cPanel_user_name/domain-name.com/includename.conf
Follow the above advice and replace the cPanel_User_name and domain-name.com with the correct information, once done issue the full line of code in an SSH console with the below code pasted inside the file
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS, DELETE, PUT"
Header always set Access-Control-Max-Age "1000"
Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
Finally, rebuild and restart Apache
/usr/local/cpanel/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd --hard
Cores protection is now disabled and any domain name can connect to your application and use its resources. As we said this is not a good idea in a production environment so, to just allow one domain name through Cors protection modify the first line of the code like this;
Header always set Access-Control-Allow-Origin "https://yourdomain.com"
Going Further…
In some cases, you may want to disable Cors protection server-wide, for every account on the server. You can achieve this by placing your include.conf file in the below location. This will disable Cors protection for all SSL and non-SSL domain names on the Linux VPS Server.
/etc/apache2/conf.d/userdata/your_include_file.conf
Always perform a rebuild and reboot after you modify Apache
/usr/local/cpanel/scripts/rebuildhttpdconf ; /scripts/restartsrv_httpd --hard
How was this article? – Disable Cors Protection cPanel VPS