How can I prevent/disable Cloudflare Access redirect for preflight request?

I have 2 endpoint:

app.domain.com for the frontend and
api.domain.com for the backend

I enabled both site with Cloudflare acess.
When I login into Cloudflare acess from the frontend I want the backend to be authenticated too.
So perhaps I should send the cookie to the backend using xmlhttprequest.withCredentials = true

But the request have a preflight and it gets redirected.
How can I disable redirect on preflight? or there’s other method that recommended?
Thanks!

This question is reposted to the security-access category without tags, as suggested by cloonan

2 Likes

Bumping into this as well. Anything other than app leve/codel workarounds?

Preflight cannot include any cookie (by design). This is why you must set the CORS options in your Access application. That won’t take care of your unauthenticated backend issue, because Cloudflare Access cookies are seemingly always per-domain. I haven’t found a solution for that one.

And yes, your backend requests will need to have “WithCredentials” and your CORS settings (both at your origin and your Access application) will need to allow it.

1 Like