I have some CORS and preflight problems with my software I can't solve. To test it I was ursing a cors test site to simulate it. When I make an api request to my server application I get the following error:
Access to XMLHttpRequest at 'https://example.org/api/articles/2387' from origin 'https://www.test-cors.org' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status.
I was adding the follwing code at the end of my .htaccess file, but I still get the same error:
<IfModule mod_headers.c>
Header append X-Frame-Options SAMEORIGIN
Header always set Access-Control-Allow-Origin "*"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "*, Authorization, authorization"
</IfModule>
<IfModule mod_rewrite.c>
RewriteEngine on
# always return 200 for preflight OPTIONS requests
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=200,L]
Also the server is returning "Status Code: 401 Unauthorized". As Request Headers I was adding an authorization header (example string):
Authorization: Basic DJFNCNDJKS7574hdfnDDBHr4593834nfnd=
But it's the right authorization, because I tested the exact same header locally with curl several times (without cross origin) and I always get the requested data. Any idea what's going on here and how I can solve it?
Edit: I got it to work. I placed the additional htaccess content at the end of the file first. Since I added it at the beginning of the file its working.
