name: 'strapi::cors',
config: {
headers: ['accept-language', 'Token', 'Content-Type', 'Authorization', 'Accept', 'Origin', 'Response-Type'],
origin:
process.env.NODE_ENV === 'production'
? [`https://${process.env.DOMAIN}`, `https://${process.env.STRAPI_DOMAIN}`]
'http://127.0.0.1:3000',
'http://127.0.0.1:1337',
'http://localhost:3000',
'http://localhost:1337',
'https://api.traefik.me',
'https://docker.traefik.me',
In a local environment, I get
CORS errors
on POST request.
Here is what the preflight request gives me:
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-origin: *
As you can see, the origin is not correct and I don’t get the access-control-allow-credentials which is mandatory for my use case. But because it is not set, I get this error:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
Why isn’t the cors middleware working as expected ? I checked Strapi’s source code and the default cors values include this allow credentials header.
In a local docker environment it works - the preflight request gives me this:
access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With,Accept,Content-Type,Content-Length,Authorization
access-control-allow-methods: GET,POST,PUT,OPTIONS,HEAD,DELETE
access-control-allow-origin: https://docker.traefik.me
What is the problem with local environment ?
This topic has been created from a Discord post (1271027344613572639) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord
- Database: sqlite
- Operating system: macos on M1 chip
- Is your project Javascript or Typescript: Typescript
### Describe the bug
I have this custom cors configuration in `/config/middlewares.ts`:
```typescript
name: 'strapi::cors',
config: {
headers: ['accept-language', 'Token', 'Content-Type', 'Authorization', 'Accept', 'Origin', 'Response-Type'],
origin:
process.env.NODE_ENV === 'production'
? [`https://${process.env.DOMAIN}`, `https://${process.env.STRAPI_DOMAIN}`]
'http://127.0.0.1:3000',
'http://127.0.0.1:1337',
'http://localhost:3000',
'http://localhost:1337',
'https://api.traefik.me',
'https://docker.traefik.me',
In a local environment, I get CORS errors on POST request.
Here is what the preflight request gives me:
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-origin: *
As you can see, the origin is not correct and I don't get the `access-control-allow-credentials` which is mandatory for my use case. But because it is not set, I get this error:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
Why isn't the cors middleware working as expected ? I checked Strapi's source code and the default cors values include this allow credentials header.
### A case where it is working
In a local docker environment it works - the preflight request gives me this:
access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With,Accept,Content-Type,Content-Length,Authorization
access-control-allow-methods: GET,POST,PUT,OPTIONS,HEAD,DELETE
access-control-allow-origin: https://docker.traefik.me
What is the problem with local environment ?
### Expected behavior
When I declare a cors middleware custom config, I want it to be taken into account.
### Screenshots
The preflight response in localhost that is not working as expected.
<img width="520" alt="Screenshot 2024-08-08 at 11 07 22" src="https://github.com/user-attachments/assets/f329fe5a-eff1-440b-be96-d30f514a0b9f">
