Authorization header does not reach API only on GET request (nginx)

Question

I have an app built on laravel and locally it all works fine, but in server it does not work correctly.

The app is hosted on nginx and PUT, POST, DELETE requests are able to send Authorization header to API except for GET request.

Which makes it weird because I know that on apache you need to allow Authorization header and on nginx there is no need for that.

Also I have debugged when I call route Route::get('reports/{amount}','ReportsController@show'); Authorization header does not reach API but it does exist in request header.

And when I change route method to POST: Route::post('reports/{amount}','ReportsController@show'); the Authorization header reaches API.

This is the server's nginx config:

server {
listen 80;
listen [::]:80;

client_max_body_size 10M;

#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options 'allow-from https://www.someweb.com';
    add_header X-Frame-Options 'allow-from https://www.someweb.com';
add_header X-Content-Type-Options nosniff;
    add_header 'Referrer-Policy' 'strict-origin';
    add_header X-XSS-Protection "1; mode=block";

root /var/www/html;

index index.html index.htm index.nginx-debian.html, index.php;

error_page 404 /404.html;

include snippets/fastcgi-php.conf;

location /security {
    alias /var/www/html/security/public;
    try_files $uri $uri/ @security;

    location ~ \.php$ {
            include snippets/fastcgi-php.conf;
                fastcgi_param SCRIPT_FILENAME $request_filename;
                fastcgi_pass unix:/run/php/php7.2-fpm.sock;
        }
}

location @security {
        rewrite /security/(.*)$ /security/index.php?/$1 last;
    }
}

I am not very familiar with nginx but I do not see any exclusion for headers or GET requests. Has anyone came across this problem?

Is there anyway to identify where problem lies? Since my browser has header and API does not get it I assume it is server's fault, but I have no idea how to fix it.

Answer 1

Perhaps you have to add this to the list of allow headers that can be received, configurable in your Nginx config..

add_header Access-Control-Allow-Headers "Authorization";

Nearly same boat, likely will have same issue, as it stands my developer environment has allowHeaders set to wildcard.

You may also be required to set allowed methods:

add_header Access-Control-Allow-Methods "GET POST DELETE OPTIONS";

or use * (wildcard):

add_header Access-Control-Allow-Methods *;