Allow CORS for PUT in Node.js

Question

I am trying to make a PUT call to my rest api endpoint, and getting this error:

Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.

I enabled CORS using this solution: enable-cors, it works for POST.

How do I achieve the same for PUT?

Thanks.

Did you read the error message? https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS#Access-Control-Allow-Methods — SLaks, Feb 26 '17 at 00:57
you need to add PUT (and probably OPTIONS) to `Access-Control-Allow-Methods` header — Jaromanda X, Feb 26 '17 at 01:04
Thanks @SLaks and Jaromanda, I added `PUT` in my header: `res.header("Access-Control-Allow-Methods", "PUT");`. It worked. — software_writer, Feb 26 '17 at 01:09
You will also have to support the OPTIONS method on your server because when a client users PUT, the browser will pre-flight the request with an OPTIONS request first and only if the browser gets the right result back will it allow the PUT. — jfriend00, Feb 26 '17 at 01:54
@jfriend00: No; `OPTIONS` is part of the protocol and doesn't need a separate entry in the header. — SLaks, Feb 27 '17 at 19:39
@SLaks - I did not say options has anything to do with a header. I said that they need to have their server handle an OPTIONS request that will be a preflight to the CORS PUT. You can see my answer for more detail. — jfriend00, Feb 27 '17 at 20:48
Did you figure this out? Did either of the answers help you solve it? — jfriend00, Mar 24 '17 at 04:26
Yes, I did. @SLaks link above(1st comment) helped me figure out the solution. Thanks. — software_writer, Mar 24 '17 at 17:35

score 42 · Accepted Answer · answered Feb 26 '17 at 01:37

42

add this:

res.header('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE, OPTIONS');

app.use(function(req, res, next) {
       res.header("Access-Control-Allow-Origin", "*");
       res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
       res.header('Access-Control-Allow-Methods', 'PUT, POST, GET, DELETE, OPTIONS');
          next();
    });

answered Feb 26 '17 at 01:37

Julien

1,230
16
20

Thanks for the this information. I was bit confused with my code. Now it got fixed. – Jijo Cleetus May 27 '18 at 19:08

jfriend00 · Answer 2 · 2017-02-26T03:31:59.060

You will need to support the OPTIONS method on your server because the browser will pre-flight all cross-origin PUT requests, no matter what headers you have. And, you need to make sure you're explicitly allowing PUT in your CORS headers. See this from MDN's page on CORS:

Additionally, for HTTP request methods that can cause side-effects on server's data (in particular, for HTTP methods other than GET, or for POST usage with certain MIME types), the specification mandates that browsers "preflight" the request, soliciting supported methods from the server with an HTTP OPTIONS request method, and then, upon "approval" from the server, sending the actual request with the actual HTTP request method. Servers can also notify clients whether "credentials" (including Cookies and HTTP Authentication data) should be sent with requests.

So, in your server, you would need to do something like this:

app.use(function(req, res, next) {
    res.header('Access-Control-Allow-Origin', '*');
    res.header('Access-Control-Allow-Methods', 'GET,PUT,POST,DELETE,PATCH,OPTIONS');
    res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, Content-Length, X-Requested-With');
    // allow preflight
    if (req.method === 'OPTIONS') {
        res.send(200);
    } else {
        next();
    }
});

Here's an article on the topic:

Cross-Origin Requests in Express.JS

Allow CORS for PUT in Node.js

2 Answers2

Linked