Cloudflare stripping CORS headers during xmlhttprequest with javascript to my public api (apache)

I doing XMLHttpRequest from my main domain to my subdomain (api.*). Apache is configured that my subdomain must response with Header set Access-Control-Allow-Origin "*" header. I also enabled headers module. So there are no other reasons why this CORS header isn’t coming to browser request - it being stripped by Cloudflare. Which page rules should I apply for my subdomain to allow anyone access pages with XMLHttpRequest?

This topic was automatically closed after 14 days. New replies are no longer allowed.