CORS config not working

System Information
  • Strapi Version: 4
  • Operating System: Windows
  • Database: Sqlite
  • Node Version: 20.11.0
  • NPM Version: 10.3.0

First time Strapi-user here .To make the endpoints a bit more difficult to abuse, I want to enable CORS. However, no matter what I do, it seems as though Strapi completely ignores any config that I set in the middleware.js file

To test it out, I decided to just add the values from the example and then modify them so that my GET requests should be denied. This is the config that I added in middlewares.js

module.exports = [
    name: "strapi::cors",
    config: {
      origin: [
      maxAge: 31536000,
      methods: ["POST"],
      headers: ["Content-Type", "Authorization", "Origin", "Accept"],
      keepHeadersOnError: false,

However, all that this does is that it doesn’t allow me to access the admin panel. I can still call the endpoints just fine. I’ve tried adding the deprecated “enable” option which gives me the console warning that it is deprecated, so the config is being reached and run, it’s just not working. I can still reach the data from the api’s by pasting the urls into my browser. At least it feels like the GET requests should be denied, but absolutely nothing happens.

I’ve tried making calls from browsers and a next.js app. The project is hosted in Strapi Cloud.