I’ve been stuck on this problem for a few days now and I can’t seem to find a solution. Thank you in advance for your help.
I’ve configured CORS permissions in my index file as follows:
const corsOptions = {
origin: process.env.CORS_ORIGIN,
methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
allowedHeaders: ['Content-Type', 'Authorization', 'Pragma', 'Cache-Control'],
credentials: true
};
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', process.env.CORS_ORIGIN);
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Pragma, Cache-Control');
res.setHeader('Access-Control-Allow-Credentials', 'true');
res.setHeader('Pragma', 'no-cache');
res.setHeader('Cache-Control', 'no-store, no-cache, must-revalidate, proxy-revalidate');
console.log('CORS headers:', res.getHeaders());
next();
});
app.options('*', (req, res) => {
res.setHeader('Access-Control-Allow-Origin', process.env.CORS_ORIGIN);
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, Pragma, Cache-Control');
res.setHeader('Access-Control-Allow-Credentials', 'true');
res.sendStatus(204);
});
app.use((req, res, next) => {
res.on('finish', () => {
const headers = res.getHeaders();
console.log('CORS headers:', headers);
console.log('Access-Control-Allow-Origin:', headers['access-control-allow-origin']);
console.log('Access-Control-Allow-Methods:', headers['access-control-allow-methods']);
console.log('Access-Control-Allow-Headers:', headers['access-control-allow-headers']);
console.log('Pragma:', headers['pragma']);
console.log('Cache-Control:', headers['cache-control']);
});
next();
});
(Note: corsOptions is not currently being used, as I’ve been doing a lot of testing.)
Despite this, I’m still getting the following error:
Access to XMLHttpRequest at ‘https://api.myapp.app/user/me’ from origin ‘https://myapp.app’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
I’ve also configured my two Nginx configurations to ensure they do not handle CORS:
api.myapp.app:
server {
listen 80;
server_name api.myapp.app;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name api.myapp.app;
ssl_certificate /etc/letsencrypt/live/api.myapp.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/api.myapp.app/privkey.pem;
ssl_dhparam /etc/nginx/ssl-dhparams.pem;
location /api/ {
proxy_pass http://localhost:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
myapp.app:
server {
listen 80;
server_name myapp.app;
# Redirect to HTTPS
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name myapp.app;
root /home/myapp/frontend/preview/browser;
index index.html;
ssl_certificate /etc/letsencrypt/live/myapp.app/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/myapp.app/privkey.pem;
ssl_dhparam /etc/nginx/ssl-dhparams.pem;
location / {
try_files $uri $uri/ /index.html;
}
location /api/ {
proxy_pass http://localhost:3000/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
I really can’t find any solution. I’ve tried several things: re-enabling headers via Nginx resulted in a problem with multiple values (back + nginx). I also disabled CORS management via my backend, but then there was an issue with the pragma header not being transmitted…
By the way, what is the difference between handling CORS in Nginx versus in Node.js?
Thank you very much for your help, I’ve been struggling with this for several days…