Request header field Access-Control-Allow-Headers is not allowed by itself in preflight response
Solution 1:
When you start playing around with custom request headers you will get a CORS preflight. This is a request that uses the HTTP OPTIONS
verb and includes several headers, one of which being Access-Control-Request-Headers
listing the headers the client wants to include in the request.
You need to reply to that CORS preflight with the appropriate CORS headers to make this work. One of which is indeed Access-Control-Allow-Headers
. That header needs to contain the same values the Access-Control-Request-Headers
header contained (or more).
https://fetch.spec.whatwg.org/#http-cors-protocol explains this setup in more detail.
Solution 2:
This is what you need to add to make it work.
response.setHeader("Access-Control-Allow-Origin", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "GET,HEAD,OPTIONS,POST,PUT");
response.setHeader("Access-Control-Allow-Headers", "Access-Control-Allow-Headers, Origin,Accept, X-Requested-With, Content-Type, Access-Control-Request-Method, Access-Control-Request-Headers");
The browser sends a preflight request (with method type OPTIONS) to check if the service hosted on the server is allowed to be accessed from the browser on a different domain. In response to the preflight request if you inject above headers the browser understands that it is ok to make further calls and i will get a valid response to my actual GET/POST call. you can constraint the domain to which access is granted by using Access-Control-Allow-Origin", "localhost, xvz.com" instead of * . ( * will grant access to all domains)
Solution 3:
This problem solved with
"Origin, X-Requested-With, Content-Type, Accept, Authorization"
Particular in my project (express.js/nodejs)
app.use(function(req, res, next) {
res.header("Access-Control-Allow-Origin", "*");
res.header("Access-Control-Allow-Methods", "GET,HEAD,OPTIONS,POST,PUT");
res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept, Authorization");
next();
});
Update:
Every time error: Access-Control-Allow-Headers is not allowed by itself in preflight response
error you can see what wrong with chrome developer tool:
above error is missing Content-Type
so add string Content-Type
to Access-Control-Allow-Headers
Solution 4:
The accepted answer is ok, but I had difficulties to understand it. So here is a simple example to clarify it.
In my ajax request I had a standard Authorization header.
$$(document).on('ajaxStart', function(e){
var auth_token = localStorage.getItem(SB_TOKEN_MOBILE);
if( auth_token ) {
var xhr = e.detail.xhr;
xhr.setRequestHeader('**Authorization**', 'Bearer ' + auth_token);
}
This code produces the error in the question. What I had to do in my nodejs server was to add Authorization in allowed headers:
res.setHeader('Access-Control-Allow-Headers', 'X-Requested-With,content-type,**Authorization**');
Solution 5:
To add to the other answers. I had the same problem and this is the code i used in my express server to allow REST calls:
app.all('*', function(req, res, next) {
res.header('Access-Control-Allow-Origin', 'URLs to trust of allow');
res.header('Access-Control-Allow-Methods', 'GET, POST, OPTIONS, PUT, PATCH, DELETE');
res.header('Access-Control-Allow-Headers', 'Content-Type');
if ('OPTIONS' == req.method) {
res.sendStatus(200);
} else {
next();
}
});
What this code basically does is intercepts all the requests and adds the CORS headers, then continue with my normal routes. When there is a OPTIONS request it responds only with the CORS headers.
EDIT: I was using this fix for two separate nodejs express servers on the same machine. In the end I fixed the problem with a simple proxy server.