nginx add headers when returning 400 codes

Question

I'm developing an ember.js app with a laravel backend. I'm trying to return http error codes with php if something goes awry. I've noticed that when issue a PUT request and return a 400 status code, my CORS headers get ignored by my conf file which breaks my ember frontend. I have no idea why the PUT/400 code combo makes nginx ignore my conf. Any help would be much appreciated.

 server {   listen                *:80 ;    server_name           userchamp.com;   access_log            /var/log/nginx/embertest.com.access.log;    location / {      root  /var/www/embertest/public;     try_files  $uri  $uri/  /index.php?$args ;     index  index.html index.htm index.php;    }    location ~ \.php$ {          if ($request_method = 'OPTIONS') {          add_header 'Access-Control-Allow-Origin' '*';         add_header 'Access-Control-Allow-Credentials' 'true';         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';         add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';         add_header 'Access-Control-Max-Age' 1728000;         add_header 'Content-Type' 'text/plain charset=UTF-8';         add_header 'Content-Length' 0;          return 204;      }       if ($request_method = 'POST') {          add_header 'Access-Control-Allow-Origin' '*';         add_header 'Access-Control-Allow-Credentials' 'true';         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';         add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';       }       if ($request_method = 'PUT') {          add_header 'Access-Control-Allow-Origin' '*';         add_header 'Access-Control-Allow-Credentials' 'true';         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE OPTIONS';         add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';      }      if ($request_method = 'GET') {          add_header 'Access-Control-Allow-Origin' '*';         add_header 'Access-Control-Allow-Credentials' 'true';         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';         add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';       }       if ($request_method = 'DELETE') {          add_header 'Access-Control-Allow-Origin' '*';         add_header 'Access-Control-Allow-Credentials' 'true';         add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';         add_header 'Access-Control-Allow-Headers' 'DNT,X-Mx-ReqToken,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type';       }     root  /var/www/embertest/public;     try_files  $uri  $uri/  /index.php?$args ;     index  index.html index.htm index.php;     fastcgi_index index.php;     fastcgi_param PATH_INFO $fastcgi_path_info;     fastcgi_param  PATH_TRANSLATED $document_root$fastcgi_path_info;     fastcgi_param   SCRIPT_FILENAME $document_root$fastcgi_script_name;     fastcgi_param    APP_ENV dev;     fastcgi_param     APP_DBG true;     fastcgi_pass unix:/var/run/php5-fpm.sock;     fastcgi_split_path_info ^(.+\.php)(/.+)$;     include fastcgi_params;   } } 

Answer 1

For nginx >= 1.7.5

Append "always" to the header definition:

add_header 'Access-Control-Allow-Origin' '*' always; 

For nginx < 1.7.5

According to the nginx official document of ngx_header_module, the add_header can't work when response code is 400

syntax:     add_header name value; default:    — context:    http, server, location, if in location   Adds the specified field to a response header provided that the response code equals  200, 201, 204, 206, 301, 302, 303, 304, or 307. A value can contain variables. 

In another way, you can try the HttpHeadersMoreModule, which is more powerful.