I have this custom cors configuration in /config/middlewares.ts:
{
name: 'strapi::cors',
config: {
headers: ['accept-language', 'Token', 'Content-Type', 'Authorization', 'Accept', 'Origin', 'Response-Type'],
origin:
process.env.NODE_ENV === 'production'
? [`https://${process.env.DOMAIN}`, `https://${process.env.STRAPI_DOMAIN}`]
: [
'http://127.0.0.1:3000',
'http://127.0.0.1:1337',
'http://localhost:3000',
'http://localhost:1337',
'https://api.traefik.me',
'https://docker.traefik.me',
],
},
}
In a local environment, I get CORS errors on POST request.
Here is what the preflight request gives me:
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-origin: *
As you can see, the origin is not correct and I don’t get the access-control-allow-credentials which is mandatory for my use case. But because it is not set, I get this error:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
Why isn’t the cors middleware working as expected ? I checked Strapi’s source code and the default cors values include this allow credentials header.
In a local docker environment it works - the preflight request gives me this:
access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With,Accept,Content-Type,Content-Length,Authorization
access-control-allow-methods: GET,POST,PUT,OPTIONS,HEAD,DELETE
access-control-allow-origin: https://docker.traefik.me
What is the problem with local environment ?
This topic has been created from a Discord post (1271027344613572639) to give it more visibility.
It will be on Read-Only mode here.
Join the conversation on Discord