Home/ Questions/Q 901
Next
Answered
Kenil Vasani
Kenil Vasani

Kenil Vasani

View Profile
  • 1
Asked: 2020-12-19T21:59:52+00:00 In: ,

CORS error :Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

  • 1

I am trying to send the request from one localhost port to the another. I am using angularjs on the frontend and node on the backend.

Since it is CORS request, In node.js, i am using 

res.header('Access-Control-Allow-Origin', '*');
res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, PATCH');
res.header('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');

and in the angular.js service file, I am using

return {
    getValues: $resource(endpoint + '/admin/getvalues', null, {
        'get': {
             method: 'GET',
             headers:{'Authorization':'Bearer'+' '+ $localStorage.token}
             }
     }),
}

I am getting the following error

Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Please help!

angularjscorshttp-headersjavascriptnode.js
Share

    1 Answer

    1. Kenil Vasani

      Kenil Vasani

      View Profile
      Best Answer

      You have to add options also in allowed headers. browser sends a preflight request before original request is sent. See below

       res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,PATCH,OPTIONS');

      From source https://developer.mozilla.org/en-US/docs/Web/HTTP/Methods/OPTIONS

      In CORS, a preflight request with the OPTIONS method is sent, so that the server can respond whether it is acceptable to send the request with these parameters. The Access-Control-Request-Method header notifies the server as part of a preflight request that when the actual request is sent, it will be sent with a POST request method. The Access-Control-Request-Headers header notifies the server that when the actual request is sent, it will be sent with a X-PINGOTHER and Content-Type custom headers. The server now has an opportunity to determine whether it wishes to accept a request under these circumstances.

      EDITED

      You can avoid this manual configuration by using npmjs.com/package/cors npm package.I have used this method also, it is clear and easy.

      • 0

    You must login to add an answer.