Nginx – Access-Control-Allow-Origin value overrided for OPTIONS requests


I am trying to enable CORS for multiple subdomains, like was suggested here:

It works fine, except for OPTIONS requests. No matter what I do when the request method is OPTIONS the Access-Control-Allow-Origin is set to *.

Not sure if it matters but I am using ingress-nginx on Kubernetes.

It seems to me that Nginx has some internal code that runs after all the configurations I've made are applied and if the request method is OPTIONS it changes the Access-Control-Allow-Origin to *.

If anyone has any clue about what is going on or any suggestion about how to fix this please let me know.

Thank you!

Best Answer

Answering my own question for those who may need this in the future...

What worked for us was remove the following annotations:

And use this code on the snippet to set the headers dyanmically: |-
  if ($request_uri ~ ^/(.*)/swagger-ui.html) {
    return 403;
  add_header Content-Security-Policy "frame-ancestors *";
  if ($http_origin ~* (https?://.*\.dev\.totvs\.io(:[0-9]+)?$)) {
    set $allow_origin $http_origin;
  if ($http_origin ~* (https?://.*\.dev\.totvs\.app(:[0-9]+)?$)) {
    set $allow_origin $http_origin;
  more_set_headers 'Access-Control-Allow-Origin: $allow_origin';
  more_set_headers 'Access-Control-Allow-Credentials: true';
  more_set_headers 'Access-Control-Allow-Methods: PUT, GET, PATCH, DELETE, POST, OPTIONS';
  more_set_headers 'Access-Control-Allow-Headers: DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization';
  # Cors Preflight methods needs additional options and different Return Code - UPDATED
  if ($request_method = 'OPTIONS') {
      more_set_headers 'Access-Control-Max-Age: 1728000';
      more_set_headers 'Content-Type: text/plain charset=UTF-8';
      more_set_headers 'Content-Length: 0';
      return 204;