http-server: --cors not working

XMLHttpRequest cannot load http://127.0.0.1:8081/feeds.json. Request header field Authorization is not allowed by Access-Control-Allow-Headers in preflight response

$ http-server --cors
Starting up http-server, serving ./
Available on:
  http://127.0.0.1:8081
  http://192.168.1.3:8081

Here are the headers:

Response Headers
access-control-allow-headers:Origin, X-Requested-With, Content-Type, Accept, Range
access-control-allow-origin:*
Connection:keep-alive
Date:Sun, 03 Sep 2017 07:51:28 GMT

Request Headers
view source
Accept:*/*
Accept-Encoding:gzip, deflate, br
Accept-Language:en-US,en;q=0.8
Access-Control-Request-Headers:authorization
Access-Control-Request-Method:GET

This is the OPTIONS request in chrome that is failing.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 1
  • Comments: 29 (6 by maintainers)

Most upvoted comments

I had to pass --cors=Authorization

+34
ralyodio on Sep 11, 2017

This is potentially unrelated to some of the more specific comments, but in general if you’re only testing in browser, the default caching of one hour can cause the non-cors response to be cached and fail to get the new cors response.

+15
danieladams456 on Sep 12, 2018

–cors without value works, probably browser cache issue, hit ctrl + f5

+13
bhagwantg on Aug 3, 2019

same issue here. tried npx http-server --cors='*', --cors, --cors=Authorization, tried hard-refreshing the browser and clearing the cache, tried in multiple browsers…still getting the following issue.

Access to fetch at ‘http://www.theurliwanttofetch.com’ from origin ‘http://127.0.0.1:8080’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

+5
ryanbuckleyca on Dec 12, 2020

--cors works for me but Ctrl+F5 nor clearing site’s data fixes the cache issue. Only on incognito or in another browser.

+1
LetrixZ on Jul 9, 2021

Hello, facing similar cors issue, when trying to load some external file within the application, hs . --cors -p 8080 any updates on above issue, it works in few cases and fails in few and I am not sure why.

+1
akshayr-tavisca on Mar 17, 2021

I had the same problem. I solved it by installing cors global npm install cors -g.

+1
Mathes2665 on Jul 26, 2019

This one works for me: http-server {folder} --cors=http://localhost:3000/

+1
PhilTheAir on Aug 14, 2018

@TeodorKolev @ansermino @Kazanz are you all simply using --cors (without a value or with '*' in @TeodorKolev’s case)?

The test for this feature is here: https://github.com/indexzero/http-server/blob/413fe72f8da11c7c5746d16e4a7876450f2d9d8c/test/http-server-test.js#L128-L156

Please extend it to test your scenario/usage expectation and lets see what we can figure out! 😃

+1
BigBlueHat on Aug 2, 2018
Read more comments on GitHub
← http-kit: SSL error on `doRead`
http-server: No matching version found for ecstatic@^3.0.0 →