Cannot remove response headers (Access-Control-Allow-Origin)

Hi Tyk Team,

Note: The issue is happening on web browsers (Internet Explorer, Firefox, Chrome). Postman work fine since it bypassed CORS.

Currently when consuming TYK API, Tyk respond to client 2 ‘Access-Control-Allow-Origin’ header values (http://local.nokiaopenup.com, *). The detail is as below error:

Failed to load https://tma-dev-tea.cloud.tyk.io/responseheader/pet/findByStatus?status=available: The ‘Access-Control-Allow-Origin’ header contains multiple values ‘http://local.nokiaopenup.com, *’, but only one is allowed. Origin ‘http://local.nokiaopenup.com’ is therefore not allowed access. Have the server send the header with a valid value, or, if an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

Yesterday I tried to remove response header (Access-Control-Allow-Origin) by following this guide: https://tyk.io/docs/transform-traffic/response-headers/, then it worked fine with TYK dashboard 1.4.2 but today TYK cloud was upgraded to 1.5.0 then this error was happened again.

This is my CORS configs:

Thanks,
Toan Do

This is my API definition detail which was exported from TYK dashboard:

{
“id”: “5a69a5f3e06f7600011e9a18”,
“name”: “responseheaders Swagger Petstore”,
“slug”: “responseheaders”,
“api_id”: “dee42378990648be6b289f4f70dda953”,
“org_id”: “5a4f35569764510001dbc400”,
“use_keyless”: true,
“use_oauth2”: false,
“use_openid”: false,
“openid_options”: {
“providers”: [],
“segregate_by_client”: false
},
“oauth_meta”: {
“allowed_access_types”: [],
“allowed_authorize_types”: [],
“auth_login_redirect”: “”
},
“auth”: {
“use_param”: false,
“param_name”: “”,
“use_cookie”: false,
“cookie_name”: “”,
“auth_header_name”: “”,
“use_certificate”: false
},
“use_basic_auth”: false,
“use_mutual_tls_auth”: false,
“client_certificates”: [],
“upstream_certificates”: {},
“enable_jwt”: false,
“use_standard_auth”: false,
“enable_coprocess_auth”: false,
“jwt_signing_method”: “”,
“jwt_source”: “”,
“jwt_identity_base_field”: “”,
“jwt_client_base_field”: “”,
“jwt_policy_field_name”: “”,
“notifications”: {
“shared_secret”: “”,
“oauth_on_keychange_url”: “”
},
“enable_signature_checking”: false,
“hmac_allowed_clock_skew”: 0,
“base_identity_provided_by”: “”,
“definition”: {
“location”: “header”,
“key”: “version”
},
“version_data”: {
“not_versioned”: false,
“default_version”: “”,
“versions”: {
“1.0.0”: {
“name”: “1.0.0”,
“expires”: “”,
“paths”: {
“ignored”: [],
“white_list”: [],
“black_list”: []
},
“use_extended_paths”: true,
“extended_paths”: {
“black_list”: [
{
“path”: “/user/logout”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/user/login”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/user/createwithlist”,
“method_actions”: {
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/user/createwitharray”,
“method_actions”: {
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/user/{username}”,
“method_actions”: {
“DELETE”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
},
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
},
“PUT”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/user”,
“method_actions”: {
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/store/order/{orderid}”,
“method_actions”: {
“DELETE”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
},
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/store/order”,
“method_actions”: {
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/store/inventory”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/pet/findbytags”,
“method_actions”: {
“GET”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/pet/{petid}/uploadimage”,
“method_actions”: {
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/pet/{petid}”,
“method_actions”: {
“DELETE”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
},
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
},
{
“path”: “/pet”,
“method_actions”: {
“POST”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
},
“PUT”: {
“action”: “no_action”,
“code”: 200,
“data”: “”,
“headers”: {}
}
}
}
],
“transform_response_headers”: [
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet/findbystatus”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet/{petid}”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/logout”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/login”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/createwithlist”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/createwitharray”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/{username}”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/{username}”,
“method”: “PUT”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user/{username}”,
“method”: “DELETE”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/user”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/store/order/{orderid}”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/store/order/{orderid}”,
“method”: “DELETE”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/store/order”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/store/inventory”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet/findbytags”,
“method”: “GET”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet/{petid}/uploadimage”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet/{petid}”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet/{petid}”,
“method”: “DELETE”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet”,
“method”: “POST”,
“act_on”: false
},
{
“delete_headers”: [
“Access-Control-Allow-Origin”
],
“add_headers”: {},
“path”: “/pet”,
“method”: “PUT”,
“act_on”: false
}
]
},
“global_headers”: {},
“global_headers_remove”: [],
“global_size_limit”: 0,
“override_target”: “”
}
}
},
“uptime_tests”: {
“check_list”: [],
“config”: {
“expire_utime_after”: 0,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
},
“recheck_wait”: 0
}
},
“proxy”: {
“preserve_host_header”: false,
“listen_path”: “/dee42378990648be6b289f4f70dda953/”,
“target_url”: “http://petstore.swagger.io/v2”,
“strip_listen_path”: true,
“enable_load_balancing”: false,
“target_list”: [],
“check_host_against_uptime_tests”: false,
“service_discovery”: {
“use_discovery_service”: false,
“query_endpoint”: “”,
“use_nested_query”: false,
“parent_data_path”: “”,
“data_path”: “”,
“port_data_path”: “”,
“target_path”: “”,
“use_target_list”: false,
“cache_timeout”: 0,
“endpoint_returns_list”: false
}
},
“disable_rate_limit”: false,
“disable_quota”: false,
“custom_middleware”: {
“pre”: [],
“post”: [],
“post_key_auth”: [],
“auth_check”: {
“name”: “”,
“path”: “”,
“require_session”: false
},
“response”: [],
“driver”: “”,
“id_extractor”: {
“extract_from”: “”,
“extract_with”: “”,
“extractor_config”: {}
}
},
“custom_middleware_bundle”: “”,
“cache_options”: {
“cache_timeout”: 0,
“enable_cache”: false,
“cache_all_safe_requests”: false,
“cache_response_codes”: [],
“enable_upstream_cache_control”: false,
“cache_control_ttl_header”: “”
},
“session_lifetime”: 0,
“active”: true,
“auth_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“session_provider”: {
“name”: “”,
“storage_engine”: “”,
“meta”: {}
},
“event_handlers”: {
“events”: {}
},
“enable_batch_request_support”: false,
“enable_ip_whitelisting”: false,
“allowed_ips”: [],
“dont_set_quota_on_create”: false,
“expire_analytics_after”: 0,
“response_processors”: [
{
“name”: “header_injector”,
“options”: {}
}
],
“CORS”: {
“enable”: true,
“allowed_origins”: [],
“allowed_methods”: [
“GET”,
“OPTIONS”
],
“allowed_headers”: [
“version”,
“apikey”,
“Access-Control-Allow-Origin”,
“Content-Type”,
“api_key”,
“Authorization”,
“Accept”
],
“exposed_headers”: [
“version”,
“apikey”,
“Access-Control-Allow-Origin”,
“Content-Type”,
“api_key”,
“Authorization”,
“Accept”
],
“allow_credentials”: false,
“max_age”: 0,
“options_passthrough”: false,
“debug”: false
},
“domain”: “”,
“do_not_track”: false,
“tags”: [],
“enable_context_vars”: false,
“config_data”: {},
“tag_headers”: [],
“global_rate_limit”: {
“rate”: 0,
“per”: 0
},
“strip_auth_data”: false
}

Hi!

Thanks for your message, we’re trying to reproduce this on our end and we’ll get back to you as soon as we can :slight_smile:

Luan - Tyk Support Team

Hi Toan

The error you received is usually due to enabling CORS when the upstream is already adding the header, so it gets added twice.

We couldn’t reproduce your second problem on our end, however, and we were able to add/remove CORS headers and add/remove Headers from endpoints using the endpoint designer. Can you confirm that this is still an issue for you?

Would it be helpful if we organise a short call with one of our consulting engineers to better understand your use-case and plans for Tyk?

I’m based in Tyk’s London office, you can contact me at [email protected]

Hi Andrew,

Please see my comment inline.

The error you received is usually due to enabling CORS when the upstream is already adding the header, so it gets added twice.

[Toan] Sure. That’s reason that I want to remove 1 header value. I’m enabling CORS is because I cannot add my custom header into the request (version and apikey header name as you saw in above picture) if I don’t enable TYK CORS.

We couldn’t reproduce your second problem on our end, however, and we were able to add/remove CORS headers and add/remove Headers from endpoints using the endpoint designer. Can you confirm that this is still an issue for you?

[Toan] Yes, I still face the issue. Also I sent my tyk cloud account to your tyk message inbox so that you can help me access my API detail to double check that my API config is correct.

Would it be helpful if we organise a short call with one of our consulting engineers to better understand your use-case and plans for Tyk?

[Toan] Sure. I’m fine. Thanks for your supports.

Thanks,
Toan Do

Thanks Luan. Are you Vietnamese :kissing_heart:?

Hi Toan Do,

Thank you, I’ve received your details and I’ll have a look shortly!
I’m afraid I’m actually South African, but I do do have a wonderfully Vietnamese name :blush:

Thân ái,
Luan

1 Like

By adding the correct “version” header to the request we were able to get through to the endpoint fine, but I want to be sure I understand what you’re trying to do.

Are you trying to see if you can remove the CORS header from the upstream, and replace it with your own in Tyk?

If you’re interested in a call to discuss your plans you can arrange that with @Andrew directly.

Thanks,
Luan

Hi Luan,

  1. I’m facing the issue when using swagger UI to send request on web browsers (IE, FF,Chrome). The request was sent to Tyk and Tyk responded to client successfully but with 2 Access-Control-Allow-Origin header values hence the browser prevented getting the body response and threw above error.
  2. You mean that I should remove 1 Access-Control-Allow-Origin header value? I did so with “Modify Header” plugin in endpoint designer but without success in TYK dashboard 1.5.0. See below pic:

Thanks,
Toan Do

To confirm, when you say you are sending the request from the Swagger UI, do you mean in the developer portal under the catalogue entry documentation for that API? Or which tool are you using to send it?

Thanks,
Luan

I didn’t send the request from developer portal. I integrated the swagger UI into my web application and use it to send the request from web. It’s similar to http://petstore.swagger.io/.

I also saw that the browsers added CORS header (origin header) into the request automatically.

Thanks,
Toan Do

Could you please help check that why I cannot remove the response header Access-Control-Allow-Origin with “Modify header” plugin in Endpoint designer?

Did I miss/wrong some something?

Thanks,
Toan Do

Same here, it used to work in the previous version but since the upgrade to 1.5.0, it does not work anymore :frowning:

1 Like

Hi,

I tried to install Tyk On-Premises 1.3.9 and the issue is still happened BUT after the tyk gateway is restarted, the issue is disappeared (it mean I can remove response header with “modify header” plugin in endpoint designer).

So could we restart tyk gateway with tyk cloud version?

Thanks,
Toan Do

Hi @Andrew, @Luan and TYK Team,

Do you have any ideas or comments with what I provided?

Thanks,
Toan Do

@Luan can you please support with this issue as it is a blocking one. thanks.

@ramacorp what are the details of the issue you are having?

@scono1986 I may have found your issue. I’m able to remove Access-Control-Allow-Origin header fine on cloud using the middleware.


vs

However, I notice that in the endpoint designer you named the path “/pet/findbystatus”, try to remove the first slash and use “pet/findbystatus” instead

2 Likes

@ramacorp ^this may help you also

@Luan yes this is it :)!! thanks a lot.