Request header field X-CSRF-Token is not allowed by Access-Control-Allow-Headers in preflight response for Drupal 7 REST API

Question

I have few APIs created in Drupal 7 which uses session authentication. Now when I get the CSRF token and try to use it in my API call, I get following error: Request header field X-CSRF-Token is not allowed by Access-Control-Allow-Headers in preflight response.

Here is my javascript code:

var url = "http://dev/api/v1/macc/*";
var xhttp = new XMLHttpRequest();
xhttp.onreadystatechange = function () {
    if (this.readyState == 4 && this.status == 200) {
        console.log(xhttp.responseText);
    }
};
xhttp.open("GET", url, true);
// xhttp.setRequestHeader('Content-Type', 'application/json');
xhttp.setRequestHeader('X-CSRF-Token', 'xxxxxxxxxxxxxxxxx');
// xhttp.setRequestHeader('cookie', cookie);

xhttp.send();

If I run the same API from Advanced Rest Client, I get the correct response.

Any help will be appreciated.

You should check you this [question](https://stackoverflow.com/q/32500073/6543983) as it describes the underlying issue and suggests fixes. — Cristian Calara, Feb 10 '18 at 07:05

Request header field X-CSRF-Token is not allowed by Access-Control-Allow-Headers in preflight response for Drupal 7 REST API

0 Answers0