CORS ERROR strict-origin-when-cross-origin Cloudflare + Apache + Proxy + NodeJs

Question

I have an apache proxy that stay behind cloudflare

This is the scenario

World -> Cloudflare Https -> Apache -> PHP

World -> Cloudflare Https -> Apache/Proxy -> NodeJS

In my apache i put this configuration

<VirtualHost *:443>
            ServerAdmin webmaster@localhost
            ServerName  mydomain.com
            ServerAlias www.mydomain.com
            DocumentRoot /var/www/mydomain
            RewriteEngine On
           
            Header set Access-Control-Allow-Origin "*"
            Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
            Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"
            <Directory /var/www/mydomain>
                    Options Indexes FollowSymLinks MultiViews
                    AllowOverride All
                    Order allow,deny
                    allow from all
                    Header set Access-Control-Allow-Origin "*"
                    Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
                    Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

            </Directory>
        

            LogLevel debug


            ErrorLog ${APACHE_LOG_DIR}/mydomain-error.log
            CustomLog ${APACHE_LOG_DIR}/mydomain-access.log combined
            SSLEngine on
            SSLCertificateFile /var/www/ssl/crt/mydomain/primary.crt
            SSLCertificateKeyFile /var/www/ssl/crt/mydomain/private.key
</VirtualHost>

but when calling an API from any domain return me always error on cors on chrome and firefox

Referrer Policy: strict-origin-when-cross-origin

“Referrer Policy: strict-origin-when-cross-origin” isn’t a CORS error — sideshowbarker, Feb 13 '21 at 09:40
usually, this means you are accessing resources from more-private address. such as localhost, LAN IP, etc. — XXLIVE, Mar 29 '21 at 05:16

score 4 · Answer 1 · answered Feb 14 '21 at 09:42

I found the solution to the problem

Part1: Add to apache configuration,

thee key solution is always set

Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "OPTIONS,POST,GET,HEAD,DELETE,PUT"
Header always set Access-Control-Allow-Headers "x-requested-with,Content-Type,origin,authorization,accept,client-sent-security-token"
Header always set Access-Control-Expose-Headers "Content-Security-Policy, Location"

Part2 you need to set in your application an OPTIONS HTTP request to always return 200

You can use this apache configuration to set it automatically

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]

this solved the problem

I have cPanel how to add those? – Abd Abughazaleh Mar 11 '23 at 13:27 — Abd Abughazaleh, Mar 11 '23 at 13:27

CORS ERROR strict-origin-when-cross-origin Cloudflare + Apache + Proxy + NodeJs

1 Answers1