Cross Domain OPTIONS will allow-cross-origin

Hi using v1.9

Enabled CORS WITHOUT options_passthrough
TYK return OPTIONS response header without allow-cross-origin. so that pre-flight always failed.

If config with options_passthrough, my upstream API required implements OPTIONS with 200 response. Looks very dumb.

Any suggestion ?

"white_list": [
                            "path": "/registrations",
                            "method_actions": {
                                "POST": {
                                    "action": "reply",
                                    "code": 200,
                                    "data": "{\"meta\":{\"status\":200,\"message\":\"string\"},\"data\":{\"users\":[{\"id\":1, \"fullname\":\"Testing User\", \"email\":\"[email protected]\"}]}}",
                                    "headers": {"Content-Type": "application/json"}
"proxy": {
        "listen_path": "/",
        "target_url": "",
        "strip_listen_path": true
    "enable_batch_request_support": true,
    "CORS": {
        "enable": true,
        "allowed_methods": ["GET", "POST", "PUT", "OPTIONS", "DELETE", "PATCH"],
        "allowed_origins": ["*"]

This has been discussed in excruciating detail I suggest looking there with regards to how to configure CORS. The trick is usually to either have Tyk handle CORS, or your back end, but never both.