APIMan return error 400 for header Access-Control-Request-Method

Question

I'm getting HTTP response code 400 in APIMan (version 1.3.0.Final) every time I use the Header Access-Control-Request-Method.

I tried the same Request without the HEADER and worked so that I imagine something is wrong with Access-Control-Request-Method Header.

The below request fails

curl -i -X OPTIONS \
    -H "Authorization:Bearer ..." \  
    -H "Access-Control-Request-Headers:authorization,content-type,x-origem" \
    -H "Access-Control-Request-Method:POST" \
'https://www.apigtw.pe.gov.br/apiman-gateway/ati-homolog/catalogo-software/1.0/datacenter/search'

But if I call the same request without the Header Access-Control-Request-Method works.

curl -i -X OPTIONS \
    -H "Authorization:Bearer ..." \  
    -H "Access-Control-Request-Headers:authorization,content-type,x-origem" \
'https://www.apigtw.pe.gov.br/apiman-gateway/ati-homolog/catalogo-software/1.0/datacenter/search'

In APIMan CORS Policy I didn't see an option for Access-Control-Request-Method (image below). I tried putting the Access-Control-Expose-Headers and Access-Control-Allow-Headers (highlighted below) and didn't work.

Edited Image (Full image)

Is there something wrong with the Request or APIMan?

In the APIMan configuration UI, have you tried setting the **Terminate on CORS error•• option to False? What value do you have set for the **Access-Control-Allow-Methods** option in that UI? — sideshowbarker, Dec 18 '18 at 01:44
Hi @sideshowbarker. About terminate on CORS error set to false, If I mark to false works, but I'm afraid of security restrictions in my APIs doing this. And about the Access-Control-Allow-Methods I updated the image. — Renato Barros, Dec 18 '18 at 12:32
I don’t know of any security risks you’d be preventing by setting that “Terminate on CORS error” option to False. The thing is, not terminating on CORS errors on the server side is exactly how every other server-side system works now with respect to the CORS protocol. The CORS protocol is based on enforcement being performed by the browser on the client side. That’s how CORS is designed. So the “Terminate on CORS error” behavior APIMan seems to have is counter to that design. So it’s an oddity to begin with — an anti-pattern. It makes me wonder what other odd things APIMan might be doing… — sideshowbarker, Dec 18 '18 at 12:55
TKS @sideshowbarker. I'm a newbie in API Gateways, I thought CORS Policy should be used to prevent any kind of attack. But, as you said, the default server behavior is ignoring on CORS error. In APIMan is an optional use CORS Policy, I can just ignore it. thanks... — Renato Barros, Dec 18 '18 at 14:07

APIMan return error 400 for header Access-Control-Request-Method

0 Answers0