handling CORS preflight request in Apache

Question

I have a AngularJS app deployed using Yeoman. Cakephp RESTful backend.

The Angular app sends in OPTIONS preflight requests, which the backend responds with forbidden (403), in nginx to solve this problem I have used this:

if ($request_method = 'OPTIONS') {
     add_header 'Access-Control-Allow-Origin' '*'; 
     add_header 'Access-Control-Allow-Credentials' 'true';
     add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS, PUT, DELETE'; 
     add_header 'Access-Control-Allow-Headers' 'X-AuthTokenHeader,Authorization,Content-Type,Accept,Origin,User-Agent,DNT,Cache-Control,X-Mx-ReqToken,Keep-Alive,X-Requested-With,If-Modified-Since';   
     add_header 'Access-Control-Max-Age' 1728000;
     add_header 'Content-Type' 'text/plain charset=UTF-8';
     add_header 'Content-Length' 0;
     return 204; 
}

How do I go about doing this in Apache? Please provide some preliminary guidance/comments, I will figure out the details after that and improve the question with granular details.

score 19 · Answer 1 · edited Apr 13 '17 at 12:13

19

I had the same question and the answer given does not solve the problem.

By looking around more I found you could do this using the rewrite, e.g:

RewriteEngine On                  
RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ $1 [R=200,L]

(make sure you enable the rewrite mod)

Then you should use, the "always set" to set the headers, e.g:

Header always set Access-Control-Allow-Origin "*"                   
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"

Explanations here: https://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests

edited Apr 13 '17 at 12:13

Community

1
1

answered Nov 15 '16 at 10:48

Ovidiu Dolha

5,335
1
21
30

1

You saved me after 2 bad days! – stighy May 02 '19 at 07:27
1

You saved a life today, the only solution that works after 2 days and trying basically all the things possible – Gabbr Issimo Jun 21 '22 at 09:15

score 6 · Answer 2 · edited May 23 '17 at 10:31

6

Add this to your .htaccess file to your apache root directory:

Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

Make sure to activate the apache module headers:

a2enmod headers

Source: https://stackoverflow.com/a/11691776/1494875

edited May 23 '17 at 10:31

Community

1
1

answered Sep 07 '14 at 14:55

Łukasz Dziedziul

144
4

score 3 · Answer 3 · answered Aug 10 '17 at 21:14

3

If it helps - I was using authentication so I also had to add following to make POST request work for me:

<LimitExcept OPTIONS>
  Require valid-user 
</LimitExcept>

answered Aug 10 '17 at 21:14

R. V.

129
1
7

handling CORS preflight request in Apache

3 Answers3

Linked