Nginx services fails for cross-domain requests if the service returns error

cross-domainnginx

I am making a cross domain request in my web app.

I have set the CORS headers on Nginx. Everything is working fine except when the service returns an error like 404, 400, 500 etc, instead of receiving the error code, the service is failing with an error saying that the Origin *********** is not allowed by Access-Control-Allow-Origin.

Any ideas why this might be happening?

This is what the nginx setting looks like;

location /api {
    add_header Access-Control-Allow-Origin *;
}

Best Answer

Unfortunately add_header won't work with status codes other than 200, 204, 301, 302 or 304. You can find this in the documentation here.

You may be able to use this plugin to do what you want:

https://www.nginx.com/resources/wiki/modules/headers_more/

Correct way in new versions of nginx

Turn out my first answer to this question was correct at certain time, but it turned into another pitfall - to stay up to date please check Taxing rewrite pitfalls

I have been corrected by many SE users, so the credit goes to them, but more importantly, here is the correct code:

server {
       listen         80;
       server_name    my.domain.com;
       return         301 https://$server_name$request_uri;
}

server {
       listen         443 ssl;
       server_name    my.domain.com;
       # add Strict-Transport-Security to prevent man in the middle attacks
       add_header Strict-Transport-Security "max-age=31536000" always; 

       [....]
}

LiteSpeed – Enable Access-Control-Allow-Origin for CORS Requests

The problem's with Chrome.

If you add more than one ACAO, Chrome doesn't know what to do with it.

It also seems to be the case for any other header related to CORS.

Best Answer

Related Solutions

NGINX Redirect – How to Rewrite All HTTP Requests to HTTPS While Maintaining Sub-Domain

Correct way in new versions of nginx

LiteSpeed – Enable Access-Control-Allow-Origin for CORS Requests

Related Topic