Not getting proper CORS headers from server


On both our local installation, and at, no Access-Control-Allow-Origin header is being returned from the server when trying to access the REST API. For example, if I send the following request:

Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept: */*
Accept-Encoding: gzip, deflate, sdch
Accept-Language: en-US,en;q=0.8

Then the headers I get back are:

HTTP/1.1 200 OK
Transfer-Encoding: chunked
Allow: GET
Content-Type: text/html
Content-Encoding: gzip
Server: Octopus Deploy/ Microsoft-HTTPAPI/2.0
X-UA-Compatible: IE=edge
X-Frame-Options: DENY
Date: Tue, 20 Sep 2016 16:41:20 GMT

It is interesting that the Allow header is properly returned, though.


Never mind; it turns out we needed to restart the service after running:

Octopus.Server.exe configure --webCorsWhitelist=*

Now all is well :slight_smile:

Hi Dave,

Great to hear all is well! Whenever a configuration change is made, a restart of the service is required to apply the configuration changes.

Kind regards,



This issue has been closed due to inactivity. If you encounter the same or a similar issue and require help, please open a new discussion (if we asked for logs or extra details in this thread, consider including them in the new thread). If you are the creator of this thread and believe it should not be closed let us know via our support email.