CORS error Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

Question

I am trying to send the request from one localhost port to the another  I am using angularjs on the frontend and node on the backend   Since it is CORS request  In node js  i am using   res header  Access-Control-Allow-Origin         res header  Access-Control-Allow-Methods    GET  POST  PUT  DELETE  PATCH    res header  Access-Control-Allow-Headers    Origin  X-Requested-With  Content-Type  Accept  Authorization      and in the angular js service file  I am using  return       getValues   resource endpoint     admin getvalues   null             get                  method   GET                headers   Authorization   Bearer        localStorage token                              I am getting the following error  Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response   Please help

User · Answer

For anyone getting this using ServiceStack backend  add  Authorization  to allowed headers in the Cors plugin   Plugins Add new CorsFeature allowedHeaders   Content-Type Authorization

User · Answer

You have to add options also in allowed headers  browser sends a preflight request before original request is sent  See below   res header  Access-Control-Allow-Methods    GET PUT POST DELETE PATCH OPTIONS      From source https   developer mozilla org en-US docs Web HTTP Methods OPTIONS     In CORS  a preflight request with the OPTIONS method is sent  so that the server can respond whether it is acceptable to send the request with these parameters  The Access-Control-Request-Method header notifies the server as part of a preflight request that when the actual request is sent  it will be sent with a POST request method  The Access-Control-Request-Headers header notifies the server that when the actual request is sent  it will be sent with a X-PINGOTHER and Content-Type custom headers   The server now has an opportunity to determine whether it wishes to accept a request under these circumstances    EDITED  You can avoid this manual configuration by using npmjs com package cors npm package I have used this method also  it is clear and easy

User · Answer

This is an API issue  you won t get this error if using Postman Fielder to send HTTP requests to API  In case of browsers  for security purpose  they always send OPTIONS request preflight to API before sending the actual requests  GET POST PUT DELETE   Therefore  in case  the request method is OPTION  not only you need to add  Authorization  into  Access-Control-Allow-Headers   but you need to add  OPTIONS  into  Access-Control-allow-methods  as well  This was how I fixed   if  context Request Method     OPTIONS                         context Response Headers Add  Access-Control-Allow-Origin   new      string context Request Headers  Origin                   context Response Headers Add  Access-Control-Allow-Headers   new      Origin  X-Requested-With  Content-Type  Accept  Authorization                  context Response Headers Add  Access-Control-Allow-Methods   new      GET  POST  PUT  DELETE  OPTIONS                  context Response Headers Add  Access-Control-Allow-Credentials   new      true

User · Answer

The res header  Access-Control-Allow-Origin         wouldn t work with Autorization header  Just enable pre-flight request  using cors library   var express   require  express   var cors   require  cors   var app   express   app use cors    app options      cors

User · Answer

First you need to install cors by using below command    npm install cors --save   Now add the following code to your app starting file like   app js or server js   var express   require  express    var app   express     var cors   require  cors    var bodyParser   require  body-parser       enables cors app use cors      allowedHeaders     sessionId    Content-Type       exposedHeaders     sessionId       origin           methods    GET HEAD PUT PATCH POST DELETE      preflightContinue   false       require    router index   app

User · Answer

If you don t want to install the cors library and instead want to fix your original code  the other step you are missing is that Access-Control-Allow-Origin   is wrong  When passing Authentication tokens  e g  JWT  then you must explicitly state every url that is calling your server  You can t use     when doing authentication tokens

[javascript] CORS error :Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

Examples related to javascript

Examples related to angularjs

Examples related to node.js

Examples related to http-headers

Examples related to cors