Zero Trust CORS rejection

What is the name of the domain?

What is the issue you’re encountering

I have created a Zero Trust application for a specific route on my backend server. I am calling this route from my frontend server. Even when I have no policies attached, the preflight fails with a CORS 500 error. I have tried all 3 combinations of recommendations – passing the OPTIONS call to my server, having Cloudflare return the values, and even setting up a worker. None of them have gotten past the stage of the preflight rejection. I’ve spent many hours with Claude and even with ChatGPT Deep Research, but the same problem remains no matter what combination of things I try to do.

Ok, I had a core misunderstanding with how workers operate and how they have to be set up.

Core concept: Instead of having your frontend call your backend’s api location, you have Cloudflare create an “{frontend}/api” endpoint, which calls your worker, which then does some hostname regexp stuff and calls your backend.

I still don’t have it working, but I’m getting closer after finally understanding that core principle.

I have my worker set up, but it’s still dying with a 500 before it ever leaves Cloudflare, it’s not getting to my server. I deleted and re-created a service token, but that doesn’t seem to matter.

I seem to have narrowed this down to the call to https://snapinstruct.cloudflareaccess.com/cdn-cgi/access/validate returning a 500.

I’ve tried both types, but:

1. Does the “Access” token contain the “.access” at the end in its key or not?
2. Even if I don’t include an Access Token, but just have “Allow Everyone,” the system is still failing.

Apparently something got broken/misconfigured on the Cloudflare end.

I finally changed my subdomain to a different name and then it started working. Egads, that was painful.

This topic was automatically closed after 15 days. New replies are no longer allowed.