This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Get hands-on experience with 20+ free Google Cloud products and $300 in free credit for new customers.
Log in to ask a question

CORS error - Request header field x-apikey is not allowed by Access-Control-Allow-Headers in preflight response

Posted on 07-14-2020 03:41 AM
hj2509
New Member
Reply posted on --/--/---- --:-- AM

Clients send a request with their API key in the header. The filed name is "x-apikey". And I am trying to enable CORS but I get on the console

Request header field x-apikey is not allowed by Access-Control-Allow-Headers in preflight response

Upon tracing, I found that I got 200 OK response for the preflight Options but it seems the subsequent GET request was not made. I think that was because of the CORS error above.

Here is my CORS policy

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<AssignMessage async="false" continueOnError="false" enabled="true" name="add-cors">
    <DisplayName>Add CORS</DisplayName>
    <Properties/>
    <Add>
        <Headers>
            <Header name="Access-Control-Allow-Origin">*</Header>
            <Header name="Access-Control-Allow-Headers">origin, x-requested-with, accept</Header>
            <Header name="Access-Control-Max-Age">3628800</Header>
            <Header name="Access-Control-Allow-Methods">GET, PUT, POST, DELETE</Header>
        </Headers>
    </Add>
    <IgnoreUnresolvedVariables>true</IgnoreUnresolvedVariables>
    <AssignTo createNew="false" transport="http" type="response"/>
</AssignMessage>

And this is my config

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<ProxyEndpoint name="default">
    <FaultRules/>
    <DefaultFaultRule name="all">
        <AlwaysEnforce>true</AlwaysEnforce>
        <Step>
            <Name>add-cors</Name>
        </Step>
    </DefaultFaultRule>
    <Flows>
        <Flow name="OptionsPreFlight">
            <Request/>
            <Response>
                <Step>
                    <Name>add-cors</Name>
                </Step>
            </Response>
            <Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
        </Flow>
    </Flows>
    <PreFlow name="PreFlow">
        <Request>
            <Step>
                <Name>verify-api-key</Name>
                <Condition>request.verb != "OPTIONS"</Condition>
            </Step>
            <Step>
                <Name>remove-query-param-apikey</Name>
                <Condition>request.verb != "OPTIONS"</Condition>
            </Step>
        </Request>
        <Response/>
    </PreFlow>
    <HTTPProxyConnection>
        <BasePath>/helloapikey_test</BasePath>
        <VirtualHost>secure</VirtualHost>
        <VirtualHost>default</VirtualHost>
    </HTTPProxyConnection>
    <RouteRule name="NoRoute">
        <Condition>request.verb == "OPTIONS" AND request.header.origin != null AND request.header.Access-Control-Request-Method != null</Condition>
    </RouteRule>
    <RouteRule name="default">
        <TargetEndpoint>default</TargetEndpoint>
    </RouteRule>
    <PostFlow name="PostFlow">
        <Request/>
        <Response/>
    </PostFlow>
</ProxyEndpoint>

And this is the error that I get

10124-5.jpg

Can anybody see what I might be doing wrong? and what should I do to fix this? Thank you!

Solved Solved
0 4 16.4K
Topic Labels
Jump to Solution
0 Likes
1 ACCEPTED SOLUTION

Posted on --/--/---- --:-- AM
nagashree_b
Silver 5
Silver 5
Reply posted on --/--/---- --:-- AM

@hyun jeon,

You need to add the x-api-key in the list of allowed headers in the add-cors assign message policy.

<Headername="Access-Control-Allow-Headers">origin, x-requested-with, accept, x-api-key</Header>

View solution in original post

Jump to Solution
4 REPLIES 4
Top Solution Authors
View all