CORS on ColdFusion

If you don't have access to configure your web server, you can still send CORS headers from a ColdFusion script. This guide shows secure implementations for ColdFusion 11+ and earlier versions.

⚠️ Security Warning: Using Access-Control-Allow-Origin: * allows any website to access your resources. Always specify exact origins in production.

Recommended: Secure Implementation with Origin Validation

This complete example includes origin validation, preflight handling, and proper security headers:

<!--- cors.cfm - Include at top of API pages --->
<cfscript>
allowedOrigins = ["https://example.com", "https://app.example.com"];
requestOrigin = cgi.HTTP_ORIGIN ?: "";

if (arrayFind(allowedOrigins, requestOrigin)) {
    cfheader(name="Access-Control-Allow-Origin", value=requestOrigin);
    cfheader(name="Vary", value="Origin");
}
</cfscript>

<cfif cgi.REQUEST_METHOD eq "OPTIONS">
    <cfheader name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS">
    <cfheader name="Access-Control-Allow-Headers" value="Content-Type, Authorization">
    <cfheader name="Access-Control-Max-Age" value="86400">
    <cfheader statusCode="204" statusText="No Content">
    <cfabort>
</cfif>

Application.cfc Integration

For automatic CORS handling across your application, add this to your Application.cfc:

component {
    this.name = "MyApp";

    public boolean function onRequestStart(string targetPage) {
        // Enable CORS for API routes
        if (findNoCase("/api/", arguments.targetPage)) {
            enableCORS();
        }
        return true;
    }

    private void function enableCORS() {
        var allowedOrigins = [
            'https://example.com',
            'https://app.example.com'
        ];
        var origin = cgi.HTTP_ORIGIN ?: '';

        if (arrayFind(allowedOrigins, origin)) {
            cfheader(name="Access-Control-Allow-Origin", value=origin);
            cfheader(name="Vary", value="Origin");
        }

        if (cgi.REQUEST_METHOD == "OPTIONS") {
            cfheader(name="Access-Control-Allow-Methods", value="GET, POST, PUT, DELETE");
            cfheader(name="Access-Control-Allow-Headers", value="Content-Type, Authorization");
            cfheader(name="Access-Control-Max-Age", value="86400");
            cfheader(statusCode="204");
            abort;
        }
    }
}

Component-Based Implementation (CF11+)

Create a reusable CORS component for modern ColdFusion applications:

<cfscript>
// CORS Configuration Component
component {
    variables.allowedOrigins = [
        'https://example.com',
        'https://app.example.com'
    ];

    public void function enableCORS() {
        var requestOrigin = cgi.HTTP_ORIGIN ?: '';

        // Validate origin
        if (arrayFind(variables.allowedOrigins, requestOrigin)) {
            cfheader(name="Access-Control-Allow-Origin", value=requestOrigin);
            cfheader(name="Access-Control-Allow-Credentials", value="true");
            cfheader(name="Vary", value="Origin");
        }

        // Handle preflight
        if (cgi.REQUEST_METHOD == "OPTIONS") {
            cfheader(name="Access-Control-Allow-Methods", value="GET, POST, PUT, DELETE, OPTIONS");
            cfheader(name="Access-Control-Allow-Headers", value="Content-Type, Authorization");
            cfheader(name="Access-Control-Max-Age", value="86400");
            cfheader(statusCode="204", statusText="No Content");
            abort;
        }
    }
}

// Usage
cors = new CORSHandler();
cors.enableCORS();

// Your application logic here
writeOutput(serializeJSON({
    'status': 'success',
    'message': 'CORS enabled'
}));
</cfscript>

REST API Integration

For ColdFusion REST APIs, integrate CORS in your component methods:

component rest="true" restpath="/api" {
    remote any function getData() httpmethod="GET" restpath="/data" {
        enableCORS();
        return {"data": "value"};
    }

    private void function enableCORS() {
        var allowedOrigins = ['https://example.com', 'https://app.example.com'];
        var origin = cgi.HTTP_ORIGIN ?: '';

        if (arrayFind(allowedOrigins, origin)) {
            cfheader(name="Access-Control-Allow-Origin", value=origin);
            cfheader(name="Vary", value="Origin");
        }
    }
}

With Credentials

If your API needs to support cookies or authentication, add the credentials header. Note that you must specify an exact origin (not *) when using credentials:

<cfscript>
allowedOrigins = ["https://example.com"];
requestOrigin = cgi.HTTP_ORIGIN ?: "";

if (arrayFind(allowedOrigins, requestOrigin)) {
    cfheader(name="Access-Control-Allow-Origin", value=requestOrigin);
    cfheader(name="Access-Control-Allow-Credentials", value="true");
    cfheader(name="Vary", value="Origin");
}
</cfscript>

Simple Implementation (Development Only)

For development environments only, you can use a simple wildcard implementation:

Tag Based File

<cfheader name="Access-Control-Allow-Origin" value="*">

Script Based File (CF11+)

cfheader(name="Access-Control-Allow-Origin", value="*");

Pre-CF11 Versions

var response = getPageContext().getResponse();
response.setHeader("Access-Control-Allow-Origin","*");

Important: Headers must be set before any output has been sent from the server.

Version Compatibility

ColdFusion 11+: Use modern script syntax with cfheader() function
ColdFusion 10 and earlier: Use getPageContext().getResponse()
ColdFusion 2016+: Full support for modern HTTP handling features
Lucee: Open-source alternative with similar syntax support

Testing Your CORS Configuration

For comprehensive testing instructions including curl commands, browser DevTools usage, and troubleshooting common CORS errors, see the CORS Testing Guide.

Additional Resources

ColdFusion Documentation
Lucee Documentation
Apache CORS Configuration (often runs ColdFusion)
IIS CORS Configuration (Windows ColdFusion deployment)