---
title: "Enabling CORS in Drupal 8/9 on Acquia Cloud Site Factory"
date: "2022-02-11T16:58:32+00:00"
summary:
image:
type: "article"
url: "/site-factory/help/93991-enabling-cors-drupal-89-acquia-cloud-site-factory"
id: "3c2b39be-80e1-43eb-82ca-690fc2ffd906"
---

[Cross-origin resource sharing (CORS)](https://en.wikipedia.org/wiki/Cross-origin_resource_sharing) is disabled by default in Drupal 8. In a self-hosted, Acquia Cloud Enterprise, or Acquia Cloud Professional, you would edit the `settings.php` and `services.yml` files within the site directory. In Acquia Cloud Site Factory you must use a factory hook to customize the `settings.php` file. In this guide, we will show you how to enable CORS for Acquia Cloud Site Factory sites using Factory Hooks.

NOTE: There is a known bug in Drupal 8 core around CORS and Varnish caching

Please see our [Knowledgebase Article](/node/92516).

### Steps 

#### 1: Check out a local copy of your site code

If you need help with this step, please check out  [Git best practices on Acquia Cloud Site Factory](/node/57358).

#### 2: Create a services.yml file

In the `/factory-hooks/post-settings-php/` directory, create a new `services.yml` file. Copy the CORS-specific entries from the [default.services.yml](https://cgit.drupalcode.org/drupal/tree/sites/default/default.services.yml#n157) file into the new `services.yml` file and modify to suit your needs. If you need help starting out, review examples found in the comments section of this page on drupal.org: [Opt-in CORS support](https://www.drupal.org/node/2715637)

#### 3: Create the hook file

Files executed by the factory hooks must have a .php extension. Create a `services.php` file in the same directory. Add these lines to the file: 

    <?php
    
    $settings['container_yamls'][] = __DIR__ . '/services.yml';

Commit both files to your repository. After making these changes to your codebase, it is time to test in non-production. 

More information about Acquia Cloud Site Factory Hooks can be found in our product guide: [Hooks in Acquia Cloud Site Factory](/node/57269)

#### 4: Clear caches

Since this involves a change to the Drupal container (which is cached), this requires a Drupal cache clear (e.g. **drush cr --uri=mysite.com**)

### Testing

You can verify whether CORS-related headers appear by using either your browser's network inspector, or a **curl** command.

Note that the incoming request needs to have an **Origin** header in order for Drupal to trigger the right code which will inject the headers.

Here is an example using **curl**:

    # NOTE: This example assumes that https://example.mydrupalsite.com is a valid Origin 
    #   as per the Drupal settings.
    $ curl -sSLIXGET -H "Origin: https://example.mydrupalsite.com" "http://example.mydrupalsite.com/filter/tips?cachebust="`date +%s` 
    HTTP/1.1 200 OK
    X-Generator: Drupal 8 (https://www.drupal.org)
    X-Drupal-Cache: MISS
    { ... snip ... }
    Access-Control-Allow-Origin: https://example.mydrupalsite.com
    Access-Control-Expose-Headers: 
    { ... snip ... }