Not correctly passing server headers in some responses from subdomain under same origin

Hi all, apologies again if this hasn’t been written out correctly or if I’ve missed anything out. I’m having an additional issue with CORS XHR requests where now the preflight is fully successful but it’s likely that Cloudflare isn’t properly responding with the server headers that are being supplied.

The Nginx config clearly states under the server block that add_header would add Access-Control-Allow-Origin along with the correct origin. Another thing is that the Referrer-Policy defined under the server block is strict-origin-when-cross-origin. However, Cloudflare responds with strict-origin anyways. The structure for the site is as follows, so you know what I’m referring to:
/check: GET https://api.naxxxxe.net/check
/app: POST https://api.naxxxxe.net/app
/staff: (Webpage) https://naxxxxe.net/apply or https://naxxxxe.net/apply/staff
/beta: (Webpage) https://naxxxxe.net/apply/beta
/streaming: (Webpage) https://naxxxxe.net/apply/streaming

What’s also strange about this is that it’s an intermittent problem. For some pages under /apply, including the defined index page of /staff, additional pages /beta and /streaming, the response from my backend API for paths /check and /app will either be that the Access-Control-Allow-Origin will be missing or it won’t and the request will be fully successful. From what I can tell, it’s like this: /staff won’t have the header for /check but will for /app, but for the other two pages, /check will have the header but /app won’t.

Thankfully, as per my previous post on the community, all preflights are fully successful.

Below, I’ve provided my nginx config for the API.

server {
        listen 443 ssl http2;
        server_name api.naxxxxe.net;
        access_log /var/log/nginx/api-naxxxxe.app-access.log;
        error_log /var/log/nginx/api-naxxxxe.app-error.log error;
        ssl_certificate /var/ssl/fullchain.pem;
        ssl_certificate_key /var/ssl/privkey.pem;
        add_header Allow 'GET, POST, HEAD';
        add_header X-Content-Type-Options nosniff;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy strict-origin-when-cross-origin;
        add_header Access-Control-Allow-Origin https://naxxxxe.net;
        add_header Access-Control-Allow-Methods 'GET, POST';
        add_header Access-Control-Allow-Headers 'Content-Type, Application-Type, Current-SID';
        location / {
                proxy_pass http://127.0.0.1:1337;
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection 'upgrade';
                proxy_set_header Host $host;
                proxy_cache_bypass $http_upgrade;
        }
}

Again, if you need me to clarify any additional information, please reply below and I will gladly respond at the earliest opportunity.

This topic was automatically closed 5 days after the last reply. New replies are no longer allowed.