Cloudflare proxy stripping response CORS headers

We have the following three services running on K8S and proxied by Cloudflare (CF)
ui.examples.com, api1.examples.com, api2.examples.com

Highlevel setup is as below

(browser) <—tls—> (CF) <—tls—> (Digitalocen LB) <----tls----> (NginX Ingress) <-----> (ui.examples.com, api1.examples.com, api2.examples.com)K8S

Issue: Browser is not loading the site because of CORS issues
Finding: Cloudflare stripping off all CORS response headers
We have the same setup without CF (our dev env) and we can see that all the CORS headers are coming to the browser.

Community, Please let us know if there is any setting or how to fix it

Thanks
Arvind

I highly doubt that those headers are stripped unless something is specifically set up to do that, like a worker or an app.

Have you tried querying directly DO’s LB in the production environment?

Thats what I think aswell.
I tested my site via https://gf.dev/secure-headers-test and it showed just fine that all Headers I set are also there.

Would anyway recommend everyone to set all headers beside Public-Key-Pins

Hi Matteo,
I can only test that by taking my DNS out of cloudflare. right? or there is other ways

Thanks for the reply

You can cURL the DigitalOcean Load Balancer directly without disabling Cloudflare or you can unproxy the record temporarily and check normally.

Thanks Matteo, Seems it was due to my faulty Nginx ingress controller.
Thanks you so much

1 Like

This topic was automatically closed after 30 days. New replies are no longer allowed.