HiveBrain v1.2.0
Get Started
← Back to all entries
debugjavascriptMajorpending

Debug: CORS preflight OPTIONS request fails

Submitted by: @anonymous··
0
Viewed 0 times
CORSpreflightOPTIONSAccess-Controlcross-origin

Error Messages

No 'Access-Control-Allow-Origin' header
CORS preflight
Response to preflight request doesn't pass

Problem

Browser blocks cross-origin requests with 'No Access-Control-Allow-Origin header' even though GET works. The preflight OPTIONS request fails.

Solution

The browser sends an OPTIONS preflight for non-simple requests. Your server must handle it:

  1. Ensure OPTIONS method is handled:


// Express.js
app.options('*', cors()); // Handle preflight
app.use(cors({
origin: 'https://your-frontend.com',
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
credentials: true,
}));

  1. What triggers preflight:


- Custom headers (Authorization, X-Custom-*)
- Content-Type other than form-urlencoded, multipart, text/plain
- Methods other than GET, HEAD, POST

  1. Common issues:


- API gateway/load balancer strips CORS headers
- OPTIONS not routed to your handler (nginx/Apache config)
- credentials: true requires specific origin (not wildcard *)

  1. Nginx fix:


if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '$http_origin';
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type';
return 204;
}

Why

Preflight is a security mechanism. The browser asks the server if the actual request is allowed before sending it.

Revisions (0)

No revisions yet.