You shouldn’t need to set headers in the JS app, the browser will do that for you in pre-flight.
Access-Control-Allow-Credentials:true
Which isn’t in your screenshot, so I’m assuming that your upstream NodeJS app (X-Powered-By:Express) is actually trying to add CORS headers already.
This is backed up by seeing what happens when a POST is made to the API, I get two Access-Control-Allow-Origin headers back instead of one. Usually, when this happens, a JS client / browser will bork, since they expect a single header. The fact there are two responses implies that both Tyk Gateway AND the underlying API are handling CORS:
My suggestion would be to deselect all options in the CORS handler, and just tick “Allow OPTIONS pass-through”, this will basically allow CORS pre-flights to go through Tyk without checking and let ExpressJS handle them.
If you want to tyk to handle it, then you’ll need to have the underlying API not handle CORS.
Hey, this example is our working CORS settings on other API in this case
response.setHeader(“Access-Control-Allow-Origin”, “*”);
response.setHeader(“Access-Control-Allow-Methods”, “POST, GET, DELETE”);
response.setHeader(“Access-Control-Max-Age”, “3600”);
response.setHeader(“Access-Control-Allow-Headers”, “Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept, Client-Offset”);
But we try this options in tyk CORS and these options is not working
Error is
XMLHttpRequest cannot load http://thethingscloud.cloud.tyk.io/cumulative/. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://xxx.xxx.xxx.xxx’ is therefore not allowed access. The response had HTTP status code 400.
Cos app is hosted on xxx.xxx.xxx.xxx and Origin when Browser send request is set as xxx.xxx.xxx.xxx
What correct settings of tyc CORS should be in this case?
We want to make reqest from some ‘origin’ of our web app. It is made on AngularJS. We want this requset pass tyc io as proxy and pass to our backend API after this and get a responce. What CORRECT settings of CORS on tyc io should to be. Cos now we have an error
XMLHttpRequest cannot load http://thethingscloud.cloud.tyk.io/cumulative/. Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. Origin ‘http://xxx.xxx.xxx.xxx’ is therefore not allowed access. The response had HTTP status code 400.
Ok, so I cloned your API Definition, and got it to work just fine with Angular, here’s the plunker, as you can see all I do is add an Auth header with a valid key (I nabbed your API definition and cloned it so that I could experiment, will delete after confirmed you’re up and running).
In Tyk:
Disable CORS
Enable “Options Pass through”
Clear all your other settings
What has happened:
You enabled CORS, so the Gateway is trying to handle CORS headers on your behalf
Your app handles CORS too
When pre-flights hit Tyk, they might be getting through, but the return response actually contains two CORS headers instead of one, this is mis-parsed and fails the pre-flights and breaks the implementation
Disabling CORS stops that middleware from running in our stack, but enabling OPTIONS pass through allows options requests through to your API without checks, so your API can then return pre-flight response headers