CSRF warning on centOS where there shouldn't be

Question

i am working on my own ERP in laravel with a seperate Vue.js Front. I was for a while working on a windows server with apache and it was working fine. The setup was a bit tricky in the beginning as i was not running vue from apache but using npm run dev so using it's own dev server. I was able to build it and tested it while serving it from port 80.

So far so good.

I wanted to go through the motions and do a sample install for production and migrated everything over to centOS and here i'm running into CSRF warnings on the frontend.

In case you are wondering, i have the cors headers enabled on my windows rig, but i did not need to set anything else like this:

Header set Access-Control-Allow-Origin "*"

in the my directory settings which is often advises on here when you run into CSRF preflight issues.

This is the error i get in centOS that i do not get in windows:

Access to XMLHttpRequest at 'http://192.168.2.100:8029/api/oauth/get-token' from origin 'http://192.168.2.100' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: The 'Access-Control-Allow-Origin' header contains multiple values '*, http://192.168.2.100', but only one is allowed.

PS i'm serving laravel on port 8029 served up by apache. I'm listening to both ports 80 and 8029 (vue front end and laravel backend)

Here is the vhost file:

<VirtualHost *:8029>
    ServerAdmin emailhere
    DocumentRoot "/var/www/html/backendpathhere/"
    ServerName webservices7.zeintek.com
    ServerAlias www.webservices7.zeintek.com
  <Directory "/var/www/html/backendpathhere/">
    AddHandler cgi-script .cgi .pl .py 
    Options Indexes Includes FollowSymLinks ExecCGI
    AllowOverride All 
    Order Allow,Deny
    Allow From All 
   </Directory>
</VirtualHost>

<VirtualHost *:80>
    ServerAdmin emailhere
    DocumentRoot "/var/www/html/frontendpathhere/"
  <Directory "/var/www/html/frontendpathhere/">
    AddHandler cgi-script .cgi .pl .py 
    Options Indexes Includes FollowSymLinks ExecCGI
    Options +ExecCGI
    AllowOverride All 
    Order Allow,Deny
    Allow From All
   </Directory>
</VirtualHost>

Answer 1

When I have done this I have coded the repsonse in my own Apache handler (written in Perl) so I'm not clear how it's set in Apache and I can't see it in your config files. I see that you have enabled .pl .py and .cgi so you may have your own code involved in responding to the pre-flight request.

What is it that is serving the response to the pre-flight request? That's the part where the invalid response is generated.

Check the request and responses (Network vierw in your Browser developer tools) and cross reference with the RFC's. Different server configurations will have different options so ensure that if you are using an Apache config you have understood how to set the option properly.

When I have done this it took a little time to understand how we were going to build the cross-referencing domain data model but I don't remember getting the code working was particulalry difficult.

Answer 2

My sincere apologies. I had a backendurls file that is specific to each server deployment and i was hitting the wrong endpoint. My linux server was hitting the windows dev server.

Writing it out actually help me troubleshoot this problem.