I’ve just reproduced the issue. I get a 521 error on the preflight request for whatever API call I try to make.
The error I get is “Access to XMLHttpRequest at ‘https://api.xxxxxx.xxx/xxxxx’ from origin ‘https://xxxxxx.xxx’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.”
Behind the scenes the API is created using the Serverless framework and the corresponding AWS Lambda function does return the “Access-Control-Allow-Origin” header. It works fine so long as the Cloudflare Proxy isn’t enabled.
Ideally I would like to avoid the preflight request altogether but I’m not sure it’s possible since the website and the api are on different subdomains. In any case the preflight requests should not be failing.