Another CORS question

Take a look at this post:

Basically:

  1. Add some allowed methods (e.g. GET, POST, PUT)
  2. The CORS Spec needs Origin and Access-Control-Request-Method headers for pre-flight requests (OPTIONS)

Here’s it with Tyk Cloud proxying to example.com:

martinbuhr@diziet-sma ~> curl -vvv -X OPTIONS -H "Origin: http://localhost" -H "Access-Control-Request-Method: GET" https://xxxx.cloud.tyk.io/test/
*   Trying 52.205.26.151...
* Connected to xxxx.cloud.tyk.io (52.205.26.151) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: *.cloud.tyk.io
* Server certificate: Amazon
* Server certificate: Amazon Root CA 1
* Server certificate: Starfield Services Root Certificate Authority - G2
> OPTIONS /test/ HTTP/1.1
> Host: tyk-inc-portal-test.cloud.tyk.io
> User-Agent: curl/7.49.1
> Accept: */*
> Origin: http://localhost
> Access-Control-Request-Method: GET
>
< HTTP/1.1 200 OK
< Access-Control-Allow-Methods: GET
< Access-Control-Allow-Origin: http://localhost
< Access-Control-Max-Age: 24
< Cache-control: no-cache="set-cookie"
< Content-Type: text/plain; charset=utf-8
< Date: Wed, 19 Oct 2016 16:39:47 GMT
< Set-Cookie: AWSELB=A15351871EED3822C057D8653DCD7A0559A3D6489F2EDAC519C3F56B76311F575866272757EC31C283199D6E83B43D6BCC3F4FED505E505A88E6DF63FD899D66D2925504F1;PATH=/;MAX-AGE=180
< Vary: Origin
< Vary: Access-Control-Request-Method
< Vary: Access-Control-Request-Headers
< Content-Length: 0
< Connection: keep-alive
<
* Connection #0 to host xxx.cloud.tyk.io left intact

And for standard GET requests etc, you’ll need to ensure an origin header is present.