We have the headers generated by code and passed up via Servers (AWS) to loadbalanacers (AWS) to CF.
When we come via direct to LB, we get the headers:
< Access-Control-Allow-Origin: https://www.[HIDDEN].com
< Access-Control-Allow-Credentials: true
< Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
< Access-Control-Allow-Headers: Origin, Content-Type, accept, x-request-with
But when using CF, these are missing.
I have disabled the WAF for the subdomain and this issue remains.
Any guidance on this one will help.