cors-anywhere: setHeaders doesn't seem to change response header

I’ve been trying many different combinations of setHeaders, but am unable to make any modifications to the response header. As a test I am trying this:

const app = cors_proxy.createServer({
  originWhitelist: [], // Allow all origins
  requireHeader: ['origin', 'x-requested-with'],
  setHeaders: {
    "access-control-expose-headers" : "content-type,transfer-encoding,x-powered-by,connection,access-control-allow-origin,cache-control,date,expires,login-required,p3p,pragma,server,x-frame-options,x-cache,via,x-amz-cf-id,Access-Control-Allow-Credentials,x-final-url",
    "Access-Control-Allow-Credentials": "true",
    "x-powered-by": "CORS Anywhere",
    "access-control-allow-origin": "localhost"
  },
});

None of these headers become attached. Also require header does work fine.

About this issue

Original URL
State: open
Created 6 years ago
Reactions: 1
Comments: 19 (7 by maintainers)

Commits related to this issue

Add setting of response headers See https://github.com/PropellerAero/cors-anywhere/commit/713b3677ec3cc79a14f6d8a4299f75aa8b55389c and https://github.com/Rob--W/cors-anywhere/issues/102 — committed to BlackDark/cors-anywhere by BlackDark 6 years ago

Most upvoted comments

First, the setHeaders option sets request headers, not response headers.

Secondly, you are not supposed to touch Access-Control-Allow-Origin, because that is handled by CORS Anywhere. The logic responsible for setting Access-Control-Allow-Origin: * is at: https://github.com/Rob--W/cors-anywhere/blob/2ee31471ce3b624b5503bcc9c62fbe6783192c45/lib/cors-anywhere.js#L53

Rob--W on Feb 9, 2018

Omg, just add setResponseHeaders for any header we want to add. It’s a developer package. I can’t use the package for the same reason.

ondrek on Jun 26, 2018

It might seem stupid, but my browsers are blocking Access-Control-Allow-Origin: * because i use fetch with credentials: true so the browser worries that I send cookies to the wrong domain.

That’s right, it’s stupid, but that’ exactly what I want to do because I’m a developer and I need to do this to develop … In production it will not be like this …

However, I changed the code of withCORS and now I’m working

musikele on Feb 9, 2018

If anyone still has this problem, check this fork https://github.com/MANDA-LAWINE/cors-anywhere, Just add setResponseHeaders to createServer options.

MANDA-LAWINE on May 23, 2021

@musikele - like Rob said headers is for request. Use the fork i referenced above if you need more customization. It includes the ability to set responseHeaders as well as request headers.

chrisdobler on Feb 11, 2018

leaking the cookies from www.thesite.local -> localhost is specifically the point. this is a local proxy for a dev env. sometimes you need to do this so that you can scrape a legacy platform in dev to avoid cors issues. Good to warn folks though.

chrisdobler on Jan 10, 2018