Express server does not reply with proper cors headers

Question

I am expecting the Allow-Access-Control headers to be present in the response headers but I get nothing. I'm fairly certain it is not my nginx config, but rather my express configuration, however I have tweaked and added the cors headers to all the response variables available.

const path = require('path');
var cors = require('cors');
var express = require('express');
var app = express();
var walk = require('walk');
var ALLfiles = [];



app.use(function(req, res, next) {
  res.header("Access-Control-Allow-Origin", "*");
  res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
  next();
});
app.use("/puntington", express.static("/puntington"));

app.get('/puntington', function(req, res) {

  //EDIT: If you need to go under subdirs: change glob to walk as said in https://stackoverflow.com/questions/2727167/getting-all-filenames-in-a-directory-with-node-js/25580289#25580289
  var walker = walk.walk('./puntington', {
    followLinks: false
  });
  walker.on('file', function(root, stat, next) {
    // Add this file to the list of files
    ALLfiles.push(path.join("https://static.maxrobbins.com/images/listPuntyImages/puntington", stat.name));
    next();
  });

  walker.on('end', function() {
    res.header("Access-Control-Allow-Origin", "*");
    res.header('Access-Control-Allow-Methods', 'DELETE, PUT, GET, POST');
    res.header("Access-Control-Allow-Headers", "Origin, X-Requested-With, Content-Type, Accept");
    res.send(ALLfiles);
  });

});

var server = app.listen(8666, function() {

  var host = server.address().address;
  var port = server.address().port;

  console.log('Example app listening at http://%s:%s', host, port);

});

The response headers from the server

Connection  
keep-alive
Content-Length  
169
Content-Type    
text/html
Date    
Sun, 23 Sep 2018 03:29:29 GMT
Server  
nginx/1.15.3

The nginx server config

 location /puntington {
#     auth_basic "Restricted Content";
#     auth_basic_user_file /etc/nginx/sites-available/.htpasswd;
     proxy_set_header   X-Real-IP $remote_addr;
     proxy_set_header   Host      $http_host;
     proxy_set_header X-Forwarded-Proto $scheme;
     proxy_pass         http://127.0.0.1:8666/puntington;
     proxy_redirect off;



#     auth_basic "Restricted Content";
#     auth_basic_user_file /etc/nginx/sites-available/.htpasswd;
     if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        #
        # Custom headers and headers various browsers *should* be OK with but aren't
        #
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        #
        # Tell client that this pre-flight info is valid for 20 days
        #
        add_header 'Access-Control-Max-Age' 1728000;
        add_header 'Content-Type' 'text/plain; charset=utf-8';
        add_header 'Content-Length' 0;
        return 204;
     }
     if ($request_method = 'POST') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
     }
     if ($request_method = 'GET') {
        add_header 'Access-Control-Allow-Origin' '*';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';
        add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';
     }
 }

I'm in Windows right now so I can't test. I'm assuming the same thing? We're you going to suggest getting rid of ngi x? I need it to handle reverse proxy of other services — ShibbyOpSec1337, Sep 23 '18 at 04:20
you `var cors = require('cors');` and never use cors! you just try to do it by hand! -perhaps your (not shown) client side code is triggering CORS pre-flight - which you are not handling — Jaromanda X, Sep 23 '18 at 04:33
You were correct. If I do, $.ajax({ url: 'http://localhost:8666/puntington', success: function(data) { console.log(data)} }) it works fine, but if I hit the nginx endpoint it triggers CORS. Why? — ShibbyOpSec1337, Sep 23 '18 at 06:31
I get status code 200 response from nginx on the request but still CORS error. — ShibbyOpSec1337, Sep 23 '18 at 06:37

ShibbyOpSec1337 · Answer 1 · 2018-09-23T06:48:36.000

0

I figured it out. Because I was setting the CORS headers in both nginx and express the browser was getting confused and pooping itself, and by that I mean I was getting duplicate CORS settings in the response headers. By removing the CORS headers from the nginx site config and just using the express settings everything works fine. I appreciate the help boys <3

edited Sep 23 '18 at 06:48

answered Sep 23 '18 at 06:40

ShibbyOpSec1337

1
1
2

Express server does not reply with proper cors headers

1 Answers1