I’ve suddenly started getting numerous 520 errors in the past 2 weeks, seemingly out of nowhere.
This affects my api.livefpltables.com subdomain. The errors are listed as “CORS Missing Allow Origin” in my browser network tab in devtools.
When I pause Cloudflare all 520 errors cease, however they persist when running Cloudflare’s development mode. This leads me to believe this is a Cloudflare issue and not an issue at my origin server.
Performance is generally fine - but the constant 520 errors obviously isn’t helping. Low traffic, high traffic - doesn’t make a difference. The 520s are consistent. Pausing Cloudflare fixes it, but I require the SSL Cloudflare offers on my top-level domain so without migrating completely away from Cloudflare I’m not able to pause for any length of time…
I hope Cloudflare responds because I too face 5xx errors that are inexplicable. Hosting vendor doesn’t see issues, log files don’t show issues, yet monthly report from Cloudflare says there are 5xx errors.
We are also having the same problem. In the last 3 hours, we have seen 520 and 524 Errors. Right now we are migrating all of out websites from Cloudflare.
If you are sure your origin is not returning malformed responses, even occasionally, then you should make sure you have appropriate CORS headers. Specifically for APIs, read all the answers below carefully: vue.js - CORS Missing Allow Origin - Stack Overflow
I’ve double checked - my origin server is setting all CORS headers correctly.
My only workaround for this is for my code to re-request any API requests that return a 520. As these errors are so sporadic, the second attempt is nearly always successful. It doesn’t feel like a satisfying solution as it’s not solving the route cause at all - that Cloudflare is failing to always send the correct CORS headers for reasons that remain unknown…
I’m going to suggest one more thing to test: add a global CORS header to all requests inside your server config. I think you are on Heroku, so you should be able to add the rule to your static.json iirc (or otherwise .htaccess or the like). Even your 404s should have a CORS header in this case.
Sure? https://api.livefpltables.com/ doesn’t have a CORS header right now. See if you can add it at the server level, so every single request has a Access-Control-Allow-Origin: * header (to test).