Incorrect CORS Headers on OPTIONS Preflight Response - Origin Not Reached

I am experiencing a persistent and intermittent CORS policy error for users accessing my website, specifically for API calls made from my frontend on https://[my-domain] to my backend on https://[my-domain]:8443.

The Problem:

Users intermittently receive the following CORS error in their browser console:

Access to XMLHttpRequest at 'https://[my-domain]:8443/user/game-setting' from origin 'https://[my-domain]' has been blocked by CORS policy: Request header field p-authorization is not allowed by Access-Control-Allow-Headers in preflight response.

This error occurs during the browser’s preflight OPTIONS request, which is triggered because my frontend includes a custom header (P-Authorization).

My Setup:

• Frontend: React application hosted on https://[my-domain].

• Backend: Express.js application running on my origin server, listening directly on port 8443 using HTTPS.

• CORS Configuration: My Express application uses the cors middleware with the default configuration (app.use(cors());), which should allow all origins and reflect requested headers in the Access-Control-Allow-Headers response.

• Cloudflare: My domain [my-domain] is managed by Cloudflare.

Debugging Performed:

1. Direct API Access: Accessing the API endpoint directly via the browser address bar (e.g., https://[my-domain]:8443/user/game-setting?token=…) works correctly. This confirms the backend endpoint logic and token validation are functional, and that GET requests without custom headers (which bypass preflight) succeed.

2. Backend CORS Check: I’ve verified my backend code uses app.use(cors()); with default settings, which should correctly handle the OPTIONS preflight and allow the p-authorization header.

3. curl -v Test: I used curl -v -X OPTIONS https://[my-domain]:8443/user/game-setting -H “Origin: https://[my-domain]” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: p-authorization” from an external network to simulate the browser’s preflight request.

Contradictory curl -v Results:

Running the curl -v command at different times yields inconsistent results for the CORS response headers.

Attempt 1 (Problematic Response - Matches User Error):

< HTTP/2 200
< date: Mon, 19 May 2025 17:33:38 GMT # Example date
... other headers ...
< access-control-allow-origin: https://[my-domain]
< access-control-allow-methods: POST,OPTIONS
< access-control-max-age: 86400
< vary: Origin
< access-control-allow-credentials: true
< access-control-allow-headers: Content-Type  <-- PROBLEM HERE!
... Cloudflare headers ...
< server: cloudflare
< cf-ray: [some-ray-id] # Example Ray ID
... other headers ...

Interpretation: This response came from Cloudflare (indicated by server: cloudflare, cf-ray). It incorrectly specified Access-Control-Allow-Headers: Content-Type, causing the browser to block the request that requires P-Authorization. Note the absence of Express-specific headers like X-Powered-By.

Attempt 2 (Correct Response - Matches Expected Backend Behavior):

< HTTP/2 204
< date: Mon, 19 May 2025 17:49:04 GMT # Example date
< x-powered-by: Express  <-- Indicates request reached my origin
< access-control-allow-origin: *
< access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE # Matches cors() defaults
< vary: Access-Control-Request-Headers
< access-control-allow-headers: p-authorization  <-- CORRECT headers for preflight
... Cloudflare headers ...
< server: cloudflare
< cf-ray: [some-different-ray-id] # Example Ray ID
... other headers ...

Interpretation: This response shows the request reached my Express origin (x-powered-by: Express). My Express app’s default cors() middleware correctly handled the OPTIONS request and responded with Access-Control-Allow-Headers: p-authorization. Cloudflare headers (server: cloudflare, cf-ray) are still present, showing it’s in the path.

Conclusion:

Based on the curl outputs, Cloudflare is confirmed to be in front of my application on port 8443 and is intermittently intercepting or responding to the OPTIONS preflight requests before they consistently reach my origin server (where Express is configured to handle them correctly). Sometimes Cloudflare seems to pass the request through, and sometimes it sends a response with incorrect/incomplete CORS headers (Access-Control-Allow-Headers: Content-Type).

The intermittent nature and the different responses suggest a possible issue with Cloudflare’s caching of OPTIONS responses or inconsistent edge behavior on port 8443.

Request for Assistance:

1. Why is Cloudflare interfering with/responding to OPTIONS requests on port 8443, and why is this behavior intermittent? (Is this expected behavior for Spectrum or other configurations on non-standard ports?)

2. How can I configure Cloudflare to consistently ensure that for requests to https://[my-domain]:8443:

• It includes p-authorization (and content-type, authorization) in the Access-Control-Allow-Headers response for OPTIONS requests from the https://[my-domain] origin.

• Ideally, could Cloudflare be configured to not add CORS headers on 8443 and simply pass the OPTIONS request to my origin so my backend’s cors() middleware can handle it consistently?

3. Could a Cloudflare cache issue be causing the intermittent problem? I have tried purging the cache, but the issue persists for some users.

Please guide me on where in the Cloudflare dashboard (Spectrum, Workers, Firewall rules, etc.) I should look for the configuration that is adding or modifying headers on port 8443, and how to adjust it to resolve this intermittent CORS error for my users.

Face exactly same problem, anyone can help?

Guys, this is URGENT bug!!
I am experiencing a persistent and intermittent CORS policy error for users accessing my website, specifically for API calls made from my frontend on https://[my-domain] to my backend on https://[my-domain]:8443.

The Problem:

Users intermittently receive the following CORS error in their browser console:

Access to XMLHttpRequest at 'https://[my-domain]:8443/user/game-setting' from origin 'https://[my-domain]' has been blocked by CORS policy: Request header field p-authorization is not allowed by Access-Control-Allow-Headers in preflight response.

content_copydownload

Use code with caution.

This error occurs during the browser’s preflight OPTIONS request, which is triggered because my frontend includes a custom header (P-Authorization).

My Setup:

• Frontend: React application hosted on https://[my-domain].

• Backend: Express.js application running on my origin server, listening directly on port 8443 using HTTPS.

• CORS Configuration: My Express application uses the cors middleware with the default configuration (app.use(cors());), which should allow all origins and reflect requested headers in the Access-Control-Allow-Headers response.

• Cloudflare: My domain [my-domain] is managed by Cloudflare.

Debugging Performed:

1. Direct API Access: Accessing the API endpoint directly via the browser address bar (e.g., https://[my-domain]:8443/user/game-setting?token=…) works correctly. This confirms the backend endpoint logic and token validation are functional, and that GET requests without custom headers (which bypass preflight) succeed.

2. Backend CORS Check: I’ve verified my backend code uses app.use(cors()); with default settings, which should correctly handle the OPTIONS preflight and allow the p-authorization header.

3. curl -v Test: I used curl -v -X OPTIONS https://[my-domain]:8443/user/game-setting -H “Origin: https://[my-domain]” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: p-authorization” from an external network to simulate the browser’s preflight request.

Contradictory curl -v Results:

Running the curl -v command at different times yields inconsistent results for the CORS response headers.

Attempt 1 (Problematic Response - Matches User Error):

< HTTP/2 200
< date: Mon, 19 May 2025 17:33:38 GMT # Example date
... other headers ...
< access-control-allow-origin: https://[my-domain]
< access-control-allow-methods: POST,OPTIONS
< access-control-max-age: 86400
< vary: Origin
< access-control-allow-credentials: true
< access-control-allow-headers: Content-Type  <-- PROBLEM HERE!
... Cloudflare headers ...
< server: cloudflare
< cf-ray: [some-ray-id] # Example Ray ID
... other headers ...

content_copydownload

Use code with caution.

Interpretation: This response came from Cloudflare (indicated by server: cloudflare, cf-ray). It incorrectly specified Access-Control-Allow-Headers: Content-Type, causing the browser to block the request that requires P-Authorization. Note the absence of Express-specific headers like X-Powered-By.

Attempt 2 (Correct Response - Matches Expected Backend Behavior):

< HTTP/2 204
< date: Mon, 19 May 2025 17:49:04 GMT # Example date
< x-powered-by: Express  <-- Indicates request reached my origin
< access-control-allow-origin: *
< access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE # Matches cors() defaults
< vary: Access-Control-Request-Headers
< access-control-allow-headers: p-authorization  <-- CORRECT headers for preflight
... Cloudflare headers ...
< server: cloudflare
< cf-ray: [some-different-ray-id] # Example Ray ID
... other headers ...

content_copydownload

Use code with caution.

Interpretation: This response shows the request reached my Express origin (x-powered-by: Express). My Express app’s default cors() middleware correctly handled the OPTIONS request and responded with Access-Control-Allow-Headers: p-authorization. Cloudflare headers (server: cloudflare, cf-ray) are still present, showing it’s in the path.

Conclusion:

Based on the curl outputs, Cloudflare is confirmed to be in front of my application on port 8443 and is intermittently intercepting or responding to the OPTIONS preflight requests before they consistently reach my origin server (where Express is configured to handle them correctly). Sometimes Cloudflare seems to pass the request through, and sometimes it sends a response with incorrect/incomplete CORS headers (Access-Control-Allow-Headers: Content-Type).

The intermittent nature and the different responses suggest a possible issue with Cloudflare’s caching of OPTIONS responses or inconsistent edge behavior on port 8443.

Request for Assistance:

1. Why is Cloudflare interfering with/responding to OPTIONS requests on port 8443, and why is this behavior intermittent? (Is this expected behavior for Spectrum or other configurations on non-standard ports?)

2. How can I configure Cloudflare to consistently ensure that for requests to https://[my-domain]:8443:

• It includes p-authorization (and content-type, authorization) in the Access-Control-Allow-Headers response for OPTIONS requests from the https://[my-domain] origin.

• Ideally, could Cloudflare be configured to not add CORS headers on 8443 and simply pass the OPTIONS request to my origin so my backend’s cors() middleware can handle it consistently?

3. Could a Cloudflare cache issue be causing the intermittent problem? I have tried purging the cache, but the issue persists for some users.

Please guide me on where in the Cloudflare dashboard (Spectrum, Workers, Firewall rules, etc.) I should look for the configuration that is adding or modifying headers on port 8443, and how to adjust it to resolve this intermittent CORS error for my users.

Happening right now. Again.

Not using any page rules, bo transforms, actually I enabled development mode. Only CDN. It Is a cloudflare urgent bug. Free plan

Can you share the original 2 curl commands results

It randomly start/stop working to me and my website users.
It must be cloudflare issue.

First: (when it doesn’t work)
curl -v -X OPTIONS https://www.pokeisrael.net:8443/user/game-setting -H “Origin: https://www.pokeisrael.net” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: p-authorization”

• Host www.pokeisrael.net:8443 was resolved.

• IPv6: (none)

• IPv4: 104.21.39.169, 172.67.146.200

• Trying 104.21.39.169:8443…

• Connected to www.pokeisrael.net (104.21.39.169) port 8443

• ALPN: curl offers h2,http/1.1

• (304) (OUT), TLS handshake, Client hello (1):

• CAfile: /etc/ssl/cert.pem

• CApath: none

• (304) (IN), TLS handshake, Server hello (2):

• (304) (IN), TLS handshake, Unknown (8):

• (304) (IN), TLS handshake, Certificate (11):

• (304) (IN), TLS handshake, CERT verify (15):

• (304) (IN), TLS handshake, Finished (20):

• (304) (OUT), TLS handshake, Finished (20):

• SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF

• ALPN: server accepted h2

• Server certificate:

• subject: CN=pokeisrael.net

• start date: Apr 3 19:49:06 2025 GMT

• expire date: Jul 2 20:46:23 2025 GMT

• subjectAltName: host “www.pokeisrael.net” matched cert’s “*.pokeisrael.net”

• issuer: C=US; O=Google Trust Services; CN=WE1

• SSL certificate verify ok.

• using HTTP/2

• [HTTP/2] [1] OPENED stream for https://www.pokeisrael.net:8443/user/game-setting

• [HTTP/2] [1] [:method: OPTIONS]

• [HTTP/2] [1] [:scheme: https]

• [HTTP/2] [1] [:authority: www.pokeisrael.net:8443]

• [HTTP/2] [1] [:path: /user/game-setting]

• [HTTP/2] [1] [user-agent: curl/8.7.1]

• [HTTP/2] [1] [accept: /]

• [HTTP/2] [1] [origin: https://www.pokeisrael.net]

• [HTTP/2] [1] [access-control-request-method: GET]

• [HTTP/2] [1] [access-control-request-headers: p-authorization]

OPTIONS /user/game-setting HTTP/2
Host: www.pokeisrael.net:8443
User-Agent: curl/8.7.1
Accept: /
Origin: https://www.pokeisrael.net
Access-Control-Request-Method: GET
Access-Control-Request-Headers: p-authorization

• Request completely sent off
  < HTTP/2 200
  < date: Mon, 19 May 2025 17:33:38 GMT
  < content-type: text/plain
  < access-control-allow-origin: https://www.pokeisrael.net
  < access-control-allow-methods: POST,OPTIONS
  < access-control-max-age: 86400
  < vary: Origin
  < access-control-allow-credentials: true
  < access-control-allow-headers: Content-Type
  < report-to: {“group”:“cf-nel”,“max_age”:604800,“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v4?s=fVi%2B0%2FeaW6ZdsLam8UaJV8OklQqVx%2FAlPAj%2BLazEVVjbW3DQMpgIfltFzaDK%2BSNfHDagk3PEOxLCCANWjprImAJcu7o3amFDRi9uUCbTYPsecQ%3D%3D”}]}
  < nel: {“report_to”:“cf-nel”,“success_fraction”:0.0,“max_age”:604800}
  < server: cloudflare
  < cf-ray: 9425572d5d3de27e-MRS
  < alt-svc: h3=“:8443”; ma=86400
  <

• Connection #0 to host www.pokeisrael.net left intact

Second, when it does work:
curl -v -X OPTIONS https://www.pokeisrael.net:8443/user/game-setting -H “Origin: https://www.pokeisrael.net” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: p-authorization”

• Host www.pokeisrael.net:8443 was resolved.

• IPv6: (none)

• IPv4: 172.67.146.200, 104.21.39.169

• Trying 172.67.146.200:8443…

• Connected to www.pokeisrael.net (172.67.146.200) port 8443

• ALPN: curl offers h2,http/1.1

• (304) (OUT), TLS handshake, Client hello (1):

• CAfile: /etc/ssl/cert.pem

• CApath: none

• (304) (IN), TLS handshake, Server hello (2):

• (304) (IN), TLS handshake, Unknown (8):

• (304) (IN), TLS handshake, Certificate (11):

• (304) (IN), TLS handshake, CERT verify (15):

• (304) (IN), TLS handshake, Finished (20):

• (304) (OUT), TLS handshake, Finished (20):

• SSL connection using TLSv1.3 / AEAD-CHACHA20-POLY1305-SHA256 / [blank] / UNDEF

• ALPN: server accepted h2

• Server certificate:

• subject: CN=pokeisrael.net

• start date: Apr 3 19:49:06 2025 GMT

• expire date: Jul 2 20:46:23 2025 GMT

• subjectAltName: host “www.pokeisrael.net” matched cert’s “*.pokeisrael.net”

• issuer: C=US; O=Google Trust Services; CN=WE1

• SSL certificate verify ok.

• using HTTP/2

• [HTTP/2] [1] OPENED stream for https://www.pokeisrael.net:8443/user/game-setting

• [HTTP/2] [1] [:method: OPTIONS]

• [HTTP/2] [1] [:scheme: https]

• [HTTP/2] [1] [:authority: www.pokeisrael.net:8443]

• [HTTP/2] [1] [:path: /user/game-setting]

• [HTTP/2] [1] [user-agent: curl/8.7.1]

• [HTTP/2] [1] [accept: /]

• [HTTP/2] [1] [origin: https://www.pokeisrael.net]

• [HTTP/2] [1] [access-control-request-method: GET]

• [HTTP/2] [1] [access-control-request-headers: p-authorization]

OPTIONS /user/game-setting HTTP/2
Host: www.pokeisrael.net:8443
User-Agent: curl/8.7.1
Accept: /
Origin: https://www.pokeisrael.net
Access-Control-Request-Method: GET
Access-Control-Request-Headers: p-authorization

• Request completely sent off
  < HTTP/2 204
  < date: Mon, 19 May 2025 17:49:04 GMT
  < x-powered-by: Express
  < access-control-allow-origin: *
  < access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
  < vary: Access-Control-Request-Headers
  < access-control-allow-headers: p-authorization
  < nel: {“report_to”:“cf-nel”,“success_fraction”:0.0,“max_age”:604800}
  < report-to: {“group”:“cf-nel”,“max_age”:604800,“endpoints”:[{“url”:“https://a.nel.cloudflare.com/report/v4?s=4X53ON%2B7ITJlQ%2FnuIdo1CWi5PGiM6xpK99Sh7wiNrJR9l8Uz2A5yWw6JBWXVd7PMGgCa3rBRgyd8HxKoyC0VcAl%2FwAR44qfwBGuHh4iX%2F6w%3D”}]}
  < cf-cache-status: DYNAMIC
  < server: cloudflare
  < cf-ray: 94256dc6eca74687-MRS
  < alt-svc: h3=“:8443”; ma=86400
  <

• Connection #0 to host www.pokeisrael.net left intact

I seem to be able to reliably reproduce the issue
If you make the following request, it doesn’t work:

curl -v -X OPTIONS https://www.pokeisrael.net:8443/user/game-setting \
    -H "Origin: https://www.pokeisrael.net" \
    -H "Access-Control-Request-Method: GET" \
    -H "Access-Control-Request-Headers: p-authorization"  

//Ignore all the resolving and SSL handshake

< date: Mon, 19 May 2025 19:15:40 GMT
< content-type: text/plain
< access-control-allow-origin: https://www.pokeisrael.net
< access-control-allow-methods: POST,OPTIONS
< access-control-max-age: 86400
< vary: Origin
< access-control-allow-credentials: true
< access-control-allow-headers: Content-Type
< report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=kBQw8ukTNcgCxAMFBmg2z6U1pY7880SOtxBPe%2BfyIv65D3E6s8fpA%2FL8shmcoEX4GXH6UuxND3IS5n98Qrw1f7aNuaSMIy%2BQ02JA5e6em2Ozfw%3D%3D"}]}
< nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
< server: cloudflare
< cf-ray: 9425eca27f3d03d1-MAD
< alt-svc: h3=":8443"; ma=86400
< 

However, if you make the same request and exclude the origin header we are getting the expected response:

curl -v -X OPTIONS https://www.pokeisrael.net:8443/user/game-setting \
    -H "Access-Control-Request-Method: GET" \
    -H "Access-Control-Request-Headers: p-authorization"  

//Ignore all the resolving and SSL handshake

> OPTIONS /user/game-setting HTTP/2
> Host: www.pokeisrael.net:8443
> User-Agent: curl/8.14.0-DEV
> Accept: */*
> Access-Control-Request-Method: GET
> Access-Control-Request-Headers: p-authorization
> 
* Request completely sent off
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 204 
< date: Mon, 19 May 2025 19:17:25 GMT
< x-powered-by: Express
< access-control-allow-origin: *
< access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
< vary: Access-Control-Request-Headers
< access-control-allow-headers: p-authorization
< nel: {"report_to":"cf-nel","success_fraction":0.0,"max_age":604800}
< report-to: {"group":"cf-nel","max_age":604800,"endpoints":[{"url":"https://a.nel.cloudflare.com/report/v4?s=te22SU0dChYY3CFlgAOv0tqBJ6DviNg8wd0nqE4DFZTOsbGcxyV%2F%2BhyimEov0BN78VT020zhATDc%2BUgVi%2FudnGkp7HxLRYjrJ%2FdAGgRIdfw%3D"}]}
< cf-cache-status: DYNAMIC
< server: cloudflare
< cf-ray: 9425ef3069e50370-MAD
< alt-svc: h3=":8443"; ma=86400
< 

Double check on Cloudflare if you have any rules that are affecting the request/response headers or and origin rules here

https://dash.cloudflare.com/?to=/:account/:zone/rules/overview

No rules. no page rules.
This is a Cloudflare bug, and I have no idea how to workaround this, also can’t contact support, just write here..
But at least you found something (although I’m not sure, since it sometimes works for me and others, and sometimes not, so this is weird…)

Hi everyone,

I’m experiencing what seems to be the exact same CORS issue others have reported recently when using a Cloudflare Worker. Everything was working fine until very recently, and now I’m getting this error:

Access to XMLHttpRequest at 'https://xxxxx.xxxxx.workers.dev/xxxx' from origin 'https://xxxxx.com' has been blocked by CORS policy: Request header field x-requested-with is not allowed by Access-Control-Allow-Headers in preflight response.

It may not be the same URL or header field in each case, but the underlying issue seems identical. It looks like something might have changed on Cloudflare’s side, as I haven’t modified anything on my end.

Would appreciate any insights or solutions if anyone has found a workaround. Thanks!

I’m experiencing the same issue and i dont use anything. It was problematic earlier this week, but now it’s gotten worse. Sometimes it works, and sometimes it doesn’t. I haven’t changed anything on my end. If I don’t enable Cloudflare, it works just fine. Any help would be appreciated.

Randomly started to experience the same issue today. Disabling the DNS proxy was the only solution for now.

Same here
GET https://api.[mydomain]/endpoint works
but
POST https://api.[mydomain]/endpoint2 with Authorization header fails CORS with HeaderDissallowedByPreflightResponse

I think there might be a bigger issue here.

The same issue doesn’t manifest @eliraneln when you access it directly from the origin.

curl -v -X OPTIONS https://www.pokeisrael.net:8443/user/game-setting     
--resolve www.pokeisrael.net:8443:**5XX.XXX.XXX.XXX** \
--insecure \
-H "Origin: https://www.pokeisrael.net" \
-H "Access-Control-Request-Method: GET" \
-H "Access-Control-Request-Headers: p-authorization"

@callum5, the issue seems to be present too when the origin header is set, cant check the origin.

As a work around could be to add a Request Header Transform Rule

https://dash.cloudflare.com/?to=/:account/:zone/rules/overview

Screenshot 2025-05-19 at 21.21.012320×1280 186 KB

I’m experiencing the same issue right now. It’s affecting our uptime and seems to be exactly your issue. I’ve checked all the same cURL commands and receiving identical results. Something is wrong.

Hello,

We are experiencing the same issue. I have tried to deploy advised rule but the frontend of the application is still unusable. The same issue persist in our use case.

In our case POST requests with Authorization header are failing CORS.

I tested our web app from different browsers. In chrome stable CORS fails, in chrome canary everything works fine. I guess it might be due to different cloudflare servers those browsers are speaking to. Maybe a subset of cloudflare servers has this issue and others dont.

What is the name of the domain?

What is the issue you’re encountering

Cloudflare intermittently interfering with CORS preflight on non-standard port (8443)

What steps have you taken to resolve the issue?

I am experiencing a persistent and intermittent CORS policy error for users accessing my website, specifically for API calls made from my frontend on https://[my-domain] to my backend on https://[my-domain]:8443.
The Problem:
Users intermittently receive the following CORS error in their browser console:
Access to XMLHttpRequest at ‘https://[my-domain]:8443/user/game-setting’ from origin ‘https://[my-domain]’ has been blocked by CORS policy: Request header field p-authorization is not allowed by Access-Control-Allow-Headers in preflight response.
Use code with caution.
This error occurs during the browser’s preflight OPTIONS request, which is triggered because my frontend includes a custom header (P-Authorization).
My Setup:
Frontend: React application hosted on https://[my-domain].
Backend: Express.js application running on my origin server, listening directly on port 8443 using HTTPS.
CORS Configuration: My Express application uses the cors middleware with the default configuration (app.use(cors());), which should allow all origins and reflect requested headers in the Access-Control-Allow-Headers response.
Cloudflare: My domain [my-domain] is managed by Cloudflare.
Debugging Performed:
Direct API Access: Accessing the API endpoint directly via the browser address bar (e.g., https://[my-domain]:8443/user/game-setting?token=…) works correctly. This confirms the backend endpoint logic and token validation are functional, and that GET requests without custom headers (which bypass preflight) succeed.
Backend CORS Check: I’ve verified my backend code uses app.use(cors()); with default settings, which should correctly handle the OPTIONS preflight and allow the p-authorization header.
curl -v Test: I used curl -v -X OPTIONS https://[my-domain]:8443/user/game-setting -H “Origin: https://[my-domain]” -H “Access-Control-Request-Method: GET” -H “Access-Control-Request-Headers: p-authorization” from an external network to simulate the browser’s preflight request.
Contradictory curl -v Results:
Running the curl -v command at different times yields inconsistent results for the CORS response headers.
Attempt 1 (Problematic Response - Matches User Error):
< HTTP/2 200
< date: Mon, 19 May 2025 17:33:38 GMT # Example date
… other headers …
< access-control-allow-origin: https://[my-domain]
< access-control-allow-methods: POST,OPTIONS
< access-control-max-age: 86400
< vary: Origin
< access-control-allow-credentials: true
< access-control-allow-headers: Content-Type ← PROBLEM HERE!
… Cloudflare headers …
< server: cloudflare
< cf-ray: [some-ray-id] # Example Ray ID
… other headers …
Use code with caution.
Interpretation: This response came from Cloudflare (indicated by server: cloudflare, cf-ray). It incorrectly specified Access-Control-Allow-Headers: Content-Type, causing the browser to block the request that requires P-Authorization. Note the absence of Express-specific headers like X-Powered-By.
Attempt 2 (Correct Response - Matches Expected Backend Behavior):
< HTTP/2 204
< date: Mon, 19 May 2025 17:49:04 GMT # Example date
< x-powered-by: Express ← Indicates request reached my origin
< access-control-allow-origin: *
< access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE # Matches cors() defaults
< vary: Access-Control-Request-Headers
< access-control-allow-headers: p-authorization ← CORRECT headers for preflight
… Cloudflare headers …
< server: cloudflare
< cf-ray: [some-different-ray-id] # Example Ray ID
… other headers …
Use code with caution.
Interpretation: This response shows the request reached my Express origin (x-powered-by: Express). My Express app’s default cors() middleware correctly handled the OPTIONS request and responded with Access-Control-Allow-Headers: p-authorization. Cloudflare headers (server: cloudflare, cf-ray) are still present, showing it’s in the path.
Conclusion:
Based on the curl outputs, Cloudflare is confirmed to be in front of my application on port 8443 and is intermittently intercepting or responding to the OPTIONS preflight requests before they consistently reach my origin server (where Express is configured to handle them correctly). Sometimes Cloudflare seems to pass the request through, and sometimes it sends a response with incorrect/incomplete CORS headers (Access-Control-Allow-Headers: Content-Type).
The intermittent nature and the different responses suggest a possible issue with Cloudflare’s caching of OPTIONS responses or inconsistent edge behavior on port 8443.
Request for Assistance:
Why is Cloudflare interfering with/responding to OPTIONS requests on port 8443, and why is this behavior intermittent? (Is this expected behavior for Spectrum or other configurations on non-standard ports?)
How can I configure Cloudflare to consistently ensure that for requests to https://[my-domain]:8443:
It includes p-authorization (and content-type, authorization) in the Access-Control-Allow-Headers response for OPTIONS requests from the https://[my-domain] origin.
Ideally, could Cloudflare be configured to not add CORS headers on 8443 and simply pass the OPTIONS request to my origin so my backend’s cors() middleware can handle it consistently?
Could a Cloudflare cache issue be causing the intermittent problem? I have tried purging the cache, but the issue persists for some users.
Please guide me on where in the Cloudflare dashboard (Spectrum, Workers, Firewall rules, etc.) I should look for the configuration that is adding or modifying headers on port 8443, and how to adjust it to resolve this intermittent CORS error for my users.

We are experiencing the same problem, for the second time this month.

The last time this occurred was on 05/05/2025 and ‘resolved itself’ around 16:00 UTC. It resulted in our website being completely unusable.

Are you also on cloudflare free or else?