Do you need app.options and app.use(cors()); ??

[sinclas]

Hi,

I have a client that is getting a CORS error for preflight. So, we added the"app.options", in addition to the app.use. Do we need to add both for all routes? (nodeJS with Express).

Code in the main JS file in node. This is executed prior to any routes:

app.options('*', cors()) // include before other routes
app.use(cors()); // Header support for Express

Is this redundant? Will the second line cause the preflight to fail or are both necessary? We have a client that is failing the preflight with both Chrome and Edge.

Thanks!
Steve

[dougwilson]

Hello, and sorry you are having trouble. To answer your question, if you are using app.use for your cors middleware then you do not need to also use app.options, though it won't hurt anything. The reason is that app.use will run for all http methods -- only if you have the cors middleware on a non-options route like app.post that needs to support preflight requests would also need the app.options configuration.

[sinclas]

Hi,
I had a feeling that was the case. We only used app.use(cors());, but then out of nowhere, a client of ours is having preflight failure and can't use our platform. We added the app.options('*', cors()) as a precaution to the preflight issues but they are still having preflight issues in both Chrome and Edge. We are trying to make sure everything on the server side is solid. We have never seen this before and then there is a preflight failure....out of nowhere. There is nothing more we can do on our side, other than suggest a plugin for the client., which is not the best option.

What other options should we pursue if the client is still failing? This is the Chrome error (real web address changed) : 'https://sampleapi.com/me' from origin 'https://sampleeapp.com' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin'

Any help on this would be appreciated!

thanks.
Steve

[fzn0x]

Same issue with me, are you using an API gateway?

[fzn0x]

If yes, you can check if there's any solution provided by the infrastructure documentation for CORS.

[sinclas]

No, I have a NodeJS instance running solo. I do use the AWS gateway API and no CORS issues there. Will send the account that is having issues a link to one of those CORS test websites. I have done everything on the server side at this point!

[jub0bs]

@sinclas It would be interesting to see the problematic preflight request and its response.

[andrewdibiasio6]

@sinclas I am having similar issues. Any updates? I actually can see that my server is not providing the "allow-control-access-origin" header. This only happened when I enabled credentials. I also have this issue with edge, firefox, and chrome"

[digtiarenko]

Same here

[alexnault]

#277 (comment)

@sinclas We are having this exact issue. Did you manage to get around it?

[LanguageXange]

any update on this ? thanks!

[parasop]

access to fetch at 'https://localhost:3000' from origin 'localhost:5000' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

[lazarok09]

Hi guys, i managed to get a solution to this issue by adding a lib called cors. This is my express controller of auth methods.

The provided code demonstrates how the origin key in the corsOptions object is utilized to specify the correct origin, which is set to localhost:3000 in this instance. However, it's important to note that in your specific scenario, this origin value is likely to differ. You should tailor it to match the website for which you are encountering CORS preflight issues.

import express, { Response } from 'express';

import AuthController from '../../controllers/auth';
import cors from 'cors';

const corsOptions = {
  origin: "http://localhost:3000",
  optionsSuccessStatus: 200, // some legacy browsers (IE11, various SmartTVs) choke on 204
};

export const AuthRouter = () => {
  const router = express.Router();
  // Auth
  router.use('/', express.json());
  router.use('/', express.urlencoded({ extended: true }));

  router.use('/signin', cors(corsOptions));
  router.post('/signin', AuthController.signIn);
  return router;
};

What you guys need to test before going to browser, is if the OPTIONS method return all the things you guys need. In my case, was just the allow origin that was missing. As we can see here in the Insomnia

[AntoineSierzputowski]

Hi
I have the same issue. I'm using app.use(cors()) but I'm encountering preflight problems.
According to the documentation and your comments, adding an option on a route that takes all methods is unnecessary, right?
Have you found a solution?

[lazarok09]

Hi I have the same issue. I'm using app.use(cors()) but I'm encountering preflight problems. According to the documentation and your comments, adding an option on a route that takes all methods is unnecessary, right? Have you found a solution?

Give some read at https://developer.mozilla.org/en-US/docs/Glossary/Preflight_request and make a OPTIONS http request to your server route and watch how it respond to you. It might show somenthing that is missing. In that case, you're gonna need to do some more config in the cors options.

@sinclas I am having similar issues. Any updates? I actually can see that my server is not providing the "allow-control-access-origin" header. This only happened when I enabled credentials. I also have this issue with edge, firefox, and chrome"

about that, when your client application send a credentials header, the server needs to know that he can accept those headers. So you need to specify the specific origin that will send that header to your server. In a case when your front-end is in localhost:3000 and make a credentials request to localhost:5000, the localhost:5000 in the route you're gonna send credentials need to say, hey, sup, i accept credentials headers from localhost:3000.