Cloudflare Access CORS Problem

Hi everyone,

I am having an Issue with Cloudflare Access. I have a frontend at: “” and an API at “”, they are both for a development environment, so I want to put them both behind Cloudflare Access. I configured the Cloudflare Access App like this: “*”, so I would protect both with the same application. As for the CORS settings, I have configured them the following way:
Enabled “Access-Control-Allow-Credentials”. Added in the “Access-Control-Allow-Origin” the origins: “” and “null”, as specified at the documentation (for some reason it does not allow me to select the “Allow All Origins” option). I have set “Allow all https headers” and “Allow all methods”.
For the “Cookie Settings”, I have the “None” option and “HTTP Only” and “Enable Cookie binding” set.” has a login page that, when submitted, makes and API call to authenticate the user to “”. My problem is the following: I go to “” and authenticate correctly (using the Google method) in Cloudflare Access. Then, when I enter the login form and submit it (so it makes de API call to “”), make the preflight correctly to the api (returns a 200 code and the access-control-* headears seem to be okay). To be more specific, the headers returned in the preflight call are: “access-control-allow-credentials: true”, “access-control-allow-headers: authorization,content-type”, “access-control-allow-methods: POST”, “access-control-allow-origin:”, “access-control-max-age: 3600”, " vary: Origin, Access-Control-Request-Method, Access-Control-Request-Headers, Accept-Encoding". Then, when it actually makes the API Call to “”, it returns a 302 and the location to redirect is set to “…”. Then it makes the request to this location and returns de login authentication html page of Cloudflare Access.

Does anybody knows how to fix it? Thank you in advance.


1 Like

If I’m not mistaken, when you authenticated to access one application (e.g. doesn’t mean that you automatically have access to Different applications need to be authenticated separately.

In your situation, it’s better not to protect your API using Cloudflare Access. Try using firewall rules to block API requests not coming from referer.

Hi, thank you for answering @erictung. isn’t the only place from which I need to access the API (other sites and even mobile devices), any ideas on how I could protect it using Cloudflare Access?


Did you find any solutions? I have same problem with multiple domain API request.

We’re currently battling the same issues and CF support is not helping. Has anyone out there found a solution?

The same-origin Workers proxy that adds cf-access-client-* headers CORS · Cloudflare Zero Trust docs worked for me. My frontend is hosted by Pages.