Forbidden 403 to fetch a private article with Cookies

[details=“System Information”]

  • Strapi Version: 3.6.3
  • Operating System: Ubuntu 20.04.1 LTS
  • MongoDB: v4.4.6
  • Node Version: v14.15.4
  • NPM Version: 6.14.10
  • Yarn Version: 1.22.10

I am working on an authentication blog using Gatsby and Strapi where I have to make some content as private and some as public.

I followed this thread to send cookies from the Strapi server: Use of JWT in httpOnly cookie #4632 - #27 by davoscript

I’m having trouble fetching a single article. It’s giving me 403 Forbidden Error. I can see a jwt token being set in the browser. Cookie is present in the Request Header as well.

My frontend request:

 const response = await axios({
            method: 'post',
            url: `http://localhost:1337/graphql`,
            data: { 
                query: `
                    query($id: ID!){
                        article(id: $id ) {
                            author {
                    variables: {
                        id: id,
            withCredentials: true

Setting cors middle inside config/middleware.js file:

  • If the origin is " * " then Strapi server works fine but the frontend throws cors error

  • If I mention origin explicitly as http://localhost:8000 then the server throws an error which is “InternalServerError: http://localhost:1337 is not valid origin”. But, frontend doesn’t throw me cors error anymore and JWT Token is set in the browser’s cookie. However, the main issue which is to fetch a single article remains the same.


module.exports = {
  settings: {
    cors: {
      origin: ['http://localhost:8000'], // throws Internal Server Errror but cors issue is resolved
   // origin: [ " * " ] // doesn't throw Strapi server error but gets cors error on the fronend

But now, when I restart the server, it says “InternalServerError: http://localhost:1337 is not a valid origin” And frontend doesn’t throw me cors error anymore.

FrontEnd Repo:
Backend Repo:

Any idea why it’s throwing a “403 Forbidden" error?

1 Like