Cloudflare Access CORS Problem

pau1 · August 2, 2021, 7:40am

Hi everyone,

I am having an Issue with Cloudflare Access. I have a frontend at: “web.domain.com” and an API at “api.domain.com”, they are both for a development environment, so I want to put them both behind Cloudflare Access. I configured the Cloudflare Access App like this: “*.domain.com”, so I would protect both with the same application. As for the CORS settings, I have configured them the following way:
Enabled “Access-Control-Allow-Credentials”. Added in the “Access-Control-Allow-Origin” the origins: “web.domain.com” and “null”, as specified at the documentation (for some reason it does not allow me to select the “Allow All Origins” option). I have set “Allow all https headers” and “Allow all methods”.
For the “Cookie Settings”, I have the “None” option and “HTTP Only” and “Enable Cookie binding” set.

“web.domain.com” has a login page that, when submitted, makes and API call to authenticate the user to “api.domain.com”. My problem is the following: I go to “web.domain.com” and authenticate correctly (using the Google method) in Cloudflare Access. Then, when I enter the login form and submit it (so it makes de API call to “api.domain.com”), make the preflight correctly to the api (returns a 200 code and the access-control-* headears seem to be okay). To be more specific, the headers returned in the preflight call are: “access-control-allow-credentials: true”, “access-control-allow-headers: authorization,content-type”, “access-control-allow-methods: POST”, “access-control-allow-origin: https://web.domain.com”, “access-control-max-age: 3600”, " vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Accept-Encoding". Then, when it actually makes the API Call to “api.domain.com”, it returns a 302 and the location to redirect is set to “https://domain.cloudflareaccess.com/cdn-cgi/access/login/api.domain.com?kid=26c2a0777f421147da1339c8bccffe795432b138b7201e896f86e50e29faad72&redirect_url=%2Fv1%2Fusers%2Flogin&meta=e…”. Then it makes the request to this location and returns de login authentication html page of Cloudflare Access.

Does anybody knows how to fix it? Thank you in advance.

Pau

erictung · August 2, 2021, 8:09am

If I’m not mistaken, when you authenticated to access one application (e.g. web.domain.com) doesn’t mean that you automatically have access to api.domain.com. Different applications need to be authenticated separately.

In your situation, it’s better not to protect your API using Cloudflare Access. Try using firewall rules to block API requests not coming from web.domain.com referer.

pau1 · August 2, 2021, 9:49am

Hi, thank you for answering @erictung. web.domain.com isn’t the only place from which I need to access the API (other sites and even mobile devices), any ideas on how I could protect it using Cloudflare Access?

widgetshub · January 25, 2022, 9:36am

Hi,

Did you find any solutions? I have same problem with multiple domain API request.

mmcghee · May 23, 2022, 6:36pm

We’re currently battling the same issues and CF support is not helping. Has anyone out there found a solution?

christophercovington · November 4, 2022, 3:17pm

The same-origin Workers proxy that adds cf-access-client-* headers CORS · Cloudflare Zero Trust docs worked for me. My frontend is hosted by Pages.

braedv · October 5, 2024, 3:23am

I have the exact same setup and also looking for a solution to this - how do I authenticate a mobile app? Service Tokens?

brucejo.wk · February 23, 2025, 7:44pm

Check this solution out:

Topic		Replies	Views
Unable to use Access CORS with Access Access	2	1995	January 18, 2022
Never Ending CORS Issues Access	1	48	February 17, 2025
How to customize cors in Cloudflare Security	2	3011	March 18, 2021
'Access-Control-Allow-Origin' missing from Response Header when request via cloudflare DNS & Network	3	3161	November 8, 2022
Cloudflare stripping off CORS headers? DNS & Network	1	3371	July 7, 2021

Cloudflare Access CORS Problem

Related topics