Configure GitHub Pages CORS headers?

[trusktr]

Select Topic Area

Question

Body

How do we configure the CORS headers of a GitHub Pages site.

For example, I want to restrict which origins/domains can embed my GitHub Pages site in an iframe, or disallow other sites from displaying its resources.

This can normally be done by setting the Access-Control-Allow-Origin header to something more specific than *.

GitHub Pages sites are static, so it is not possible to make the server respond with the origin of the requester, but I am hoping that GitHub Pages could instead allow a static configuration, f.e. something like:

{
  "allowedOrigins": [
    "trusktr.github.io", // f.e. allow only my personal GitHub.io subdomain 
    "my-other-site.example" // f.e. also allow another domain of my choosing
  ]
}

Is this already possible? I'm not having luck finding anything if it is.

[ovidiuchis]

GitHub Pages is designed to serve static content without a server-side backend, which means that configuring custom HTTP headers, including Access-Control-Allow-Origin, is not natively supported.

❓ Why is this a challenge?

Since GitHub Pages only serves static assets, there is no server-side logic to handle dynamic CORS configurations. The server responds with default headers, and there is currently no way to modify them directly.

✅ Possible Workarounds:

Only if you're open to migrating to another hosting solution - none that I know of here.

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬

[ManInTheHam]

GitHub Pages is a great option for static site hosting, but it does come with certain limitations — one of the main ones being that custom HTTP headers (like CORS or iframe restrictions) are not configurable.

❓ Why can’t we set CORS or security headers?
GitHub Pages serves content via a global CDN without exposing any backend or server configuration layer to the user. This means:

• You can’t modify headers like Access-Control-Allow-Origin or X-Frame-Options.
• There’s no support for .htaccess, _headers, or any JSON-based config that injects headers into responses.
• All served files use default GitHub-set headers, and there's currently no way to customize them.

So if you're trying to restrict which domains can embed your GitHub Pages site in an iframe or access its resources, you're essentially limited by this static setup.

TL;DR

• GitHub Pages does not support any way to configure CORS headers or prevent iframe embedding via server headers.
• You’ll need to use an external service (like Cloudflare or Netlify) to achieve this functionality.

[ManInTheHam]

Use a Custom Domain + Proxy/CDN Layer
You can point a custom domain to your GitHub Pages repo and proxy the requests through a platform that does allow header control:

🔹 Cloudflare – Set up Page Rules or Workers to inject headers.
🔹 Netlify – Use a _headers file to define per-route or global headers.
🔹 Firebase Hosting – Configure CORS and security headers via firebase.json.

[Mark31-dev]

Hey, GitHub Pages does not currently support custom configuration of CORS headers like Access-Control-Allow-Origin, so you cannot restrict which origins can embed your site in an iframe or access its resources using a static configuration. Since GitHub Pages is a static hosting service without server-side control, you can’t directly set CORS policies, this kind of control would require server-level access, which GitHub Pages doesn't provide. If you need CORS restrictions, consider using a custom server (e.g. via Cloudflare Workers, Netlify, Vercel, or your own backend) where you can configure response headers as needed.

[adnanbaqi]

GitHub Pages does not support custom CORS or security headers like Access-Control-Allow-Origin or X-Frame-Options. All public content is served with Access-Control-Allow-Origin: * by default, and there's no way to override it. Features like .htaccess, _headers, or custom config files are not supported.

If you need control over headers, you'll need to use a proxy layer or switch to a different host:

• Cloudflare Workers – to inject custom headers
• Netlify or Vercel – support _headers files for per-route headers
• Firebase Hosting – allows header config via firebase.json

TL;DR: GitHub Pages is static-only with no header control. Use a proxy or alternative host if you need to restrict CORS or iframe embedding.