-
-
Notifications
You must be signed in to change notification settings - Fork 9.2k
Description
Bug report
Required System information
- Node.js version: 18.19.0
- NPM version: 10.8.2
- Strapi version: 5.0.0-rc.9
- Database: sqlite
- Operating system: macos on M1 chip
- Is your project Javascript or Typescript: Typescript
Describe the bug
I have this custom cors configuration in /config/middlewares.ts:
{
name: 'strapi::cors',
config: {
headers: ['accept-language', 'Token', 'Content-Type', 'Authorization', 'Accept', 'Origin', 'Response-Type'],
origin:
process.env.NODE_ENV === 'production'
? [`https://${process.env.DOMAIN}`, `https://${process.env.STRAPI_DOMAIN}`]
: [
'http://127.0.0.1:3000',
'http://127.0.0.1:1337',
'http://localhost:3000',
'http://localhost:1337',
'https://api.traefik.me',
'https://docker.traefik.me',
],
},
}In a local environment, I get CORS errors on POST request.
Here is what the preflight request gives me:
access-control-allow-headers: content-type
access-control-allow-methods: GET,HEAD,PUT,PATCH,POST,DELETE
access-control-allow-origin: *
As you can see, the origin is not correct and I don't get the access-control-allow-credentials which is mandatory for my use case. But because it is not set, I get this error:
The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'.
Why isn't the cors middleware working as expected ? I checked Strapi's source code and the default cors values include this allow credentials header.
A case where it is working
In a local docker environment it works - the preflight request gives me this:
access-control-allow-credentials: true
access-control-allow-headers: X-Requested-With,Accept,Content-Type,Content-Length,Authorization
access-control-allow-methods: GET,POST,PUT,OPTIONS,HEAD,DELETE
access-control-allow-origin: https://docker.traefik.me
What is the problem with local environment ?
Expected behavior
When I declare a cors middleware custom config, I want it to be taken into account.
Screenshots
The preflight response in localhost that is not working as expected.

Metadata
Metadata
Assignees
Labels
Type
Projects
Status
Status