Hi everyone,
Thank you @essayoub for your suggestion. I had already tested your suggestion, even using the basic cors() setup without any specific options, but unfortunately, it didn’t resolve the issue. Using cors() without any options should theoretically allow requests from any origin, but in my case, it didn’t work as expected.
As for @ksat, thanks for your reply. I also tested your suggestion. I did set withCredentials to true, and it helped fix the problem partially. However, I encountered an interesting behavior during my testing.
I created a simple test application, and the CORS issue was resolved when no Authorization header was sent from the frontend to my backend. But when I included an Authorization header, the CORS problem resurfaced.
I even tried changing the header name from Authorization to App-Authorization, but the issue persisted. It seems there’s an additional layer of complexity related to Google’s VMs Authorization.
Appreciate your input!
Summary of Tested Solutions and Current Findings:
Here’s a summary of what I have tested and learned so far:
- Basic CORS Configuration:
- Using
cors()middleware with or without any options did not resolve the issue.
- Adding
withCredentialsto Axios:
- Setting
withCredentialsto true partially fixed the issue. The CORS problem was resolved only when no backend Authorization header token was sent.
- Authorization Header Issue:
- The CORS problem occurs specifically when an Authorization header is included in the request. Changing the header name to
App-Authorizationdid not resolve the issue.
- Next Steps:
- I will continue to research and debug the handling of custom headers and how they interact with CORS policies. Ensuring proper configuration of allowed headers in the backend will be my focus.
I appreciate all the suggestions so far and will keep you updated on my progress. Hopefully, we can get to the bottom of this soon!
Thank you all for your support!