CORS headers deleted?

We have the headers generated by code and passed up via Servers (AWS) to loadbalanacers (AWS) to CF.

When we come via direct to LB, we get the headers:
< Access-Control-Allow-Origin: https://www.[HIDDEN].com
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Origin, Content-Type, accept, x-request-with

But when using CF, these are missing.

I have disabled the WAF for the subdomain and this issue remains.

Any guidance on this one will help.

Cloudflare include the Origin request in the cache key, explicitly so that your origin can adjust the CORS headers on a per Origin basis.

How are your testing? The following is a good starting point to start comparing the CF response and your origins response to the same requests.

curl -o /dev/null —dump-header -

curl -H “Origin:” -o /dev/null —dump-header -

curl —resolve -o /dev/null —dump-header -

curl  —resolve -H “Origin:” -o /dev/null —dump-header -

This topic was automatically closed after 14 days. New replies are no longer allowed.