Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response.

[playground]

What am I missing? I follow the example but still getting pre-flight error

  app.use(corser.create({
    endPreflightRequests: false
  }));
  app.post('/resource/my-test', (req, res, next) => {
    if(req.method === 'OPTIONS') {
      res.writeHead(204);
      res.end();
    }
    ...
  });

[agrueneberg]

Thanks for asking this question: I realized that I don't have any client-side examples.

The configuration above will only work if the client sends a "simple" request, i.e., GET, HEAD, POST as method, some headers such as Accept, Accept-Language, Content-Language, and Content-Type, etc. Content-Type has an important restriction: only application/x-www-form-urlencoded, multipart/form-data, and text/plain are allowed.
If you are like most people, your Content-Type will be application/json, and this is not allowed by default. You will need to explicitly specify Content-Type in the configuration object under the
requestHeaders key, ideally as follows:

app.use(corser.create({
    endPreflightRequests: false,
    corser.simpleRequestHeaders.concat(["Content-Type"])
})

Hope that helps.
-ag

[playground]

@agrueneberg still getting the same error with your suggestion

  app.use(corser.create({
    endPreflightRequests: false,
    requestHeaders: corser.simpleRequestHeaders.concat(["Content-Type"])
  }));

Header Response
access-control-allow-credentials:false
access-control-allow-headers:*
access-control-allow-methods:GET,POST,OPTIONS
access-control-allow-origin:*
access-control-max-age:86400
cache-control:private, max-age=300
content-length:2

[agrueneberg]

What headers are sent in the request? I'm also surprised you're getting an access-control-allow-headers header with value * with the config above. Is it Chrome?

[playground]

Yes, it's Chrome Version 61.0.3163.91 (Official Build) (64-bit)
The express is fronted by Akamai. Seems whatever I do on express it has no effect.
The question is if access-control-allow-headers:*
why would it still complaining

Request header field Content-Type is not allowed by Access-Control-Allow-Headers in preflight response

[agrueneberg]

I see, in that case I would expect Akamai to handle CORS as well. There should be a way to configure those CORS-related headers? I'm wondering if the preflight requests (OPTIONS) are even coming through to Express.
The response headers that they sent looks pretty permissive, but I need to see the request to tell what could be wrong.

[playground]

This is the request
Request URL:https://stage.mydomain.com/web-pwa/query
Request Method:OPTIONS
Status Code:200
Remote Address:xxx.xxx.xxx.xxx:443
Referrer Policy:no-referrer-when-downgrade

request header
:authority:stage.mydomain.com
:method:OPTIONS
:path:/web-pwa/query
:scheme:https
accept:/
accept-encoding:gzip, deflate, br
accept-language:en-US,en;q=0.8
access-control-request-headers:content-type
access-control-request-method:POST
cache-control:no-cache
origin:https://dev.weather.com
pragma:no-cache
referer:https://dev.mydomain.com/index.html
user-agent:Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.91 Safari/537.36

[agrueneberg]

I would suggest to temporarily take Akamai out of the equation, find out which CORS headers you need, and then figure out how Akamai is handling CORS.
Right now it appears that they're overwriting some headers in your response, but what they do to requests and responses is a question for the Akamai support rather than one for here.