Menu
Does anyone now how to fix CORS errors for the Strapi backend? I am getting a similar message like the one below. I replaced my domain with example.com :
Access to fetch at ‘https://blog.strapi.io/ghost/api/v0.1/posts/?client_id=ghost-frontend&client_secret=1f230799b4ec&limit=2’ from origin ‘http://backend.example.com:1337’ has been blocked by CORS policy: Response to ´http://backend.example.com:1337/admin´ preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.
I tried adding an origin to config/environments/production/security.json
"origin": "*"
"origin": "backend.example.com"
None of them worked. I am still getting the error.
I would apreciate some help on this.
955
Short description. Cross-Origin Resource Sharing (CORS) errors occur when a server doesn't return the HTTP headers required by the CORS standard. To resolve a CORS error from an API Gateway REST API or HTTP API, you must reconfigure the API to meet the CORS standard.
Cross-Origin Resource Sharing (CORS) is a mechanism or a protocol that allows devices on one domain to access resources residing on other domains. Generally, for security reasons, browsers forbid requests that come in from cross-domain sources.
For me the following configuration worked:
// file: root_project/config/middleware.js:
module.exports = {
//...
settings: {
cors: {
enabled: true,
// headers: '*',
origin: ["http://localhost", 'https://foo.example'],
},
},
};
Setting headers: '*' is the simplest use of the access control protocol. The server sends back an Access-Control-Allow-Origin header with Access-Control-Allow-Origin: *, which means that the resource can be accessed by any origin.
If you wished to restrict access to the resource to requests only from https://foo.example, (so that no other domain than https://foo.example can access the resource in a cross-site manner), use the above setting, so that your server sends: Access-Control-Allow-Origin: https://foo.example
Note: When responding to a credentialed requests request, the server must specify an origin in the value of the Access-Control-Allow-Origin header, instead of specifying the "*" wildcard.
157
If you are in production then add the following content to ProjectRoot/config/env/production/middleware.js
P.S. update origin with yourown custom list of urls.
module.exports = {
load: {
before: ["timer", "responseTime", "logger", "cors", "responses", "gzip"],
order: [],
after: ["parser", "router"],
},
settings: {
timer: {
enabled: true,
},
cors: {
enabled: true,
origin: [
"https://www.example1.com",
"http://www.example.com",
"http://12.23.45.67:1234",
],
},
},
};
make use of pm2 with necessary configuration for running the strapi project.
module.exports = {
apps: [
{
name: "server",
cwd: "/home/userName/Project/ProjectRoot",
script: "npm",
args: "start",
max_memory_restart: "450M",
env: {
PORT: 1337,
DATABASE_HOST: "",
DATABASE_PORT: 5432,
DATABASE_NAME: "projectABC",
DATABASE_USERNAME: "USER",
DATABASE_PASSWORD: "PASSWORD",
},
env_production: {
PORT: 1337,
NODE_ENV: "production",
DATABASE_HOST: "",
DATABASE_PORT: 5432,
DATABASE_NAME: "xyz",
DATABASE_USERNAME: "postgres",
DATABASE_PASSWORD: "abc",
},
},
],
};
The origin must be a array of urls. Like following
origin: ["http://localhost", "https://backend.example.com"],
https://strapi.io/documentation/v3.x/concepts/middlewares.html#configuration-and-activation
37
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
