What is the name of the domain?
What is the error number?
525
What is the error message?
Access to fetch at ‘https://directus-mijn.controlenergy.nl/graphql’ from origin ‘https://controlenergy.nl’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.
What is the issue you’re encountering
The same request’s response sometimes has, and sometimes does NOT have the Access-Control-Allow-Origin on it.
What steps have you taken to resolve the issue?
Google, it seems Cloudflare might be the culprit
Was the site working with SSL prior to adding it to Cloudflare?
Yes
What is the current SSL/TLS setting?
Full (strict)
There are four requests to https://directus-mijn.controlenergy.nl/graphql on the homepage, here is a successful one:
This is a failed one:
As you can see for the failed one, a lot less response headers are sent, could Cloudflare be the culprit here?
Failed one here, as I can only post one image per post…
When I do curl -I -H "Origin: http://localhost:3000" https://directus-mijn.controlenergy.nl/graphql --resolve directus-mijn.controlenergy.nl:443:188.245.32.52 I get the following:
HTTP/2 405
access-control-allow-credentials: true
access-control-allow-origin: http://localhost:3000
access-control-expose-headers: Content-Range
allow: GET, POST
alt-svc: h3=":443"; ma=2592000
cache-control: public, max-age=3600
content-security-policy: script-src 'self' 'unsafe-eval';worker-src 'self' blob:;child-src 'self' blob:;img-src 'self' data: blob: https://raw.githubusercontent.com https://avatars.githubusercontent.com;media-src 'self';connect-src 'self' https://* wss://*;default-src 'self';base-uri 'self';font-src 'self' https: data:;form-action 'self';frame-ancestors 'self';object-src 'none';script-src-attr 'none';style-src 'self' https: 'unsafe-inline'
content-type: application/json; charset=utf-8
date: Mon, 03 Mar 2025 10:57:51 GMT
etag: W/"b1-dzMAg5Q8Hfz6P5O46+vl5M4my4A"
server: Caddy
vary: Origin
x-powered-by: Directus
content-length: 177
So it seems Directus is not the problem here.
The failed request return status code 525, so it makes sense it doesn’t contain any headers.
A 525 indicates a problem during the SSL handshake, so the question becomes why the handshake occasionally fails.
However, I can’t reproduce the error using curl. Can you reproduce it outside a browser?
1 Like
Hey! Thanks for your reply,
I cannot reproduce it outside the browser. When I for example call the GQL endpoint in Postman, Im not getting Control-Allow-Origin header back, which makes sense.
I just now also got a 525 when trying to login to the directus backend UI, after a few refreshes, the 525 was gone and I could use it…
Can you enable debug logs on your backend to log the SSL handshake? There was/is a bug recently where Cloudflare sent the wrong SNI, which would explain the problem.
I’ve heard this issue is now fixed. Can you confirm that?
@user44312
1 Like
Hey!
I can confirm that I’m unable to reproduce this on my live environment atm! When it returns (if ever) I will definitely post back here.
Thanks for the help!
1 Like
