Web App built-on CORS header Access-Control-Max-Age
Using the built-in CORS support in App Service for an API Web App, we can't specify header 'Access-Control-Max-Age' or any other headers besides 'Access-Control-Allow-Credentials' and 'Access-Control-Allow-Origin'.
We would like to use the App Service built-in CORS because it's easy to manage all the different allowed origins from there, but we need to be able to set headers like 'Access-Control-Max-Age', 'Cache-Control', and 'Vary' to optimize the OPTIONS calls.
Thank you for the feedback! We will keep this item open, but at this time we do not have plans for this feature.
Filip Bojanowski commented
Currently App Service seems to be overwriting some CORS response headers. When setting the 'Access-Control-Max-Age' explicitly in a .Net Core app it does not show up in response headers when running the app as a Azure App Service. So it seems that App Services fully takes control of CORS headers.
With the app hosted elsewhere the application-set CORS headers show up correctly. Any chance for revisiting the issue of being allowed to set CORS-related headers directly on an App Service level? Or alternatively avoiding tampering with CORS headers set specifically in the hosted application?