Set Access-Control-Allow-Origin

Is it possible to set the HTTP parameter Access-Control-Allow-Origin?

Reason I’m asking is: I’m including results from the API in another HTML page through custom AJAX. It fails if Access-Control-Allow-Origin isn’t set to *. It’s internal only, so security isn’t my concern in this case.

I’m running the built-in webserver, and I’d prefer to keep that for simplicity.

Hi Markus,

We are already setting it up. Here’s the piece of code where we configure it on NancyFX

public static void Enable(NancyContext context, Response response)
            if (response == null) 

            response.WithHeader("Access-Control-Allow-Origin", (context.Request.Headers["Origin"] ?? new string[0]).FirstOrDefault() ?? "*");
            response.WithHeader("Access-Control-Allow-Credentials", "true");
            response.WithHeader("Access-Control-Allow-Methods", "GET, PUT, POST, DELETE, OPTIONS");
            response.WithHeader("Access-Control-Allow-Headers", "cache-control, content-type, x-http-method-override");
            response.WithHeader("Allow", (context.Request.Headers["Access-Control-Request-Method"] ?? new string[0]).FirstOrDefault() ?? "GET");



HI Dalmiro,

thanks for the guidelines with Nancy. How do you set it up for Octopus standalone server? Is that something I can add to the configuration somewhere?


Hi Markus,

That’s the code inside Octopus itself - we copied and pasted it so you can see exactly what headers Octopus is already setting. This code is running on your Octopus server right now. Have you tried writing your HTML page making the AJAX calls yet? It should already work.


This is the code I’m trying, and it ends up in failing. I simply save this file locally and open it with Chrome:


<script src="jquery-1.11.2.js"></script>


$(document).ready(function() {
        url: "http://octopusserver/api/dashboard",
        headers: { "X-Octopus-ApiKey": "API-xxxxxxxxx" },
		dataType: "json"
	.fail(function(request, message, exception) {
		alert ("failed");
	.done(function(data) {
		alert ("succeeded");


If I enable cross site scripting, for example with this plugin, it works. So the code seems to be correct.

Thank you for hints,

Hi Markus,

It is possible that Chrome has problems setting up the CORS headers when running this from a local file. Try hosting you file one a webserver (localhost should work i think) and then open it from chrome.


I’m also having problems with this - it looks like the Access-COntrol-Allow-Headers is missing x-octopus-apikey ?

Firefox Developer logs:

This site makes use of a SHA-1 Certificate; it’s recommended you use certificates with signature algorithms that use hash functions stronger than SHA-1.[Learn More] releases
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://deploy01/api/projects/projects-65/releases. (Reason: missing token ‘x-octopus-apikey’ in CORS header ‘Access-Control-Allow-Headers’ from CORS preflight channel).
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://peg-bendeploy01/api/projects/projects-65/releases. (Reason: CORS request failed).

I see the same, x-octopus-apikey missing when debugging in Chrome.



I’ve created a Github issue to include the x-Octopus-APIKey header to CORS

In the meantime, try hitting the URL including the API Key like this



Great! This fixed it (and yes, I had to remove it from the headers additionally, so having the APIkey in the URL only).


Fixed for me also… :wink:

Fixed for me also…