I have added add_header 'Access-Control-Expose-Headers' '*'; in my Nginx server. But still not able to get any response headers.
Somewhere in your server or location block. Please note that * will not be acceptable here. You have to explicitly expose each custom header.
add_header 'Access-Control-Expose-Headers' 'Authorization,X-Custom-Header';
Related
i have an EC2 instance on AWS that i have deployed a MERN stack on, i have defined nginx as follows:
server {
#listen 80;
listen 80 default_server;
listen [::]:80 default_server;
server_name yourdomain.com;
access_log /home/ubuntu/client/server_logs/host.access.log main;
client_max_body_size 10M;
location /api/ {
add_header X-debug-message innnnnnnnnnnnnn;
proxy_pass http://localhost:3000/;
}
location /admin-dashboard {
root /home/ubuntu;
index index.html;
add_header X-uri "$uri";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
location / {
root /home/ubuntu/client/deploy;
index index.html index.htm;
try_files $uri $uri/ /index.html;
add_header X-uri "$uri";
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
}
location = /49x.html {
root /usr/share/nginx/html;
}
server_tokens off;
location ~ /\.ht {
deny all;
}
}
And i have attached the security groups as an screenshots.
when i tried to fetch data with this url http://clikjo.com/api/ , using browser or postman it works perfectly, but when i try it using javascript with fetch or Axios it fails with this error:
[TypeError: Network request failed]
can anybody solve my problem?
i have tried to:
change my security groups
add headers, specify mode , fetch options , ... etc
If you load a page in your browser using HTTPS, the browser will refuse to load any resources over HTTP. As you've tried, changing the API URL to have HTTPS instead of HTTP typically resolves this issue. However, your API must not allow for HTTPS connections. Because of this, you must either force HTTP on the main page or request that they allow HTTPS connections.
Note on this: The request will still work if you go to the API URL instead of attempting to load it with AJAX. This is because the browser is not loading a resource from within a secured page, instead it's loading an insecure page and it's accepting that. In order for it to be available through AJAX, though, the protocols should match.
You are getting CORS error.
You need to fix it on server-side with additional header.
add_header Access-Control-Allow-Origin *;
I have setup to reverse proxy port 8086. Port 8086 is running a javascript that display random a image in webp format. If I try to visit the domain it displays the image as gibberish text. It works fine if I visit the ip address but not the domain.
I have out that more_set_headers "X-Content-Type-Options : nosniff" is causing the image to display as gibberish text. Is there a way to remove that setting for a specific site only? cause X-Content-Type-Options : nosniff is set to apply to all sites.
nginx conf
server {
server_name sub.example.com www.sub.example.com;
access_log /var/log/nginx/sub.example.com.access.log ;
error_log /var/log/nginx/sub.example.com.error.log;
add_header X-Proxy-Cache $upstream_cache_status;
location / {
proxy_pass http://xxx.xxx.xxx.xxx:8086/img;
proxy_redirect off;
proxy_set_header X-Content-Type-Options "";
}
}
How to remove X-Content-Type-Options : nosniff from specific site?
This can be done in a "functional" way: always add the header with a value from map{}. Map $host $nosniff {myhost ''; default nosniff;}
I added the following header in Nginx conf
add_header X-Frame-Options “SAMEORIGIN” and then it's working fine.
Then I added another header like this
add_header X-Frame-Options “SAMEORIGIN”
add_header X-XSS-Protection "1; mode=block";
But the X-XSS-Protection is not getting reflected in the Response Headers, only X-Frame-Options is getting added.
Then I removed the X-Frame-Options from the Nginx conf file, then also it is showing the X-Frame-Options in the Response Headers but not the other one.
I am not sure if Nginx cached the previous conf file or it is happening due to some other configurations.
I set add_header X-Frame-Options deny always;.
Now i want to change it to SAMEORIGIN. To do that i changed the in /etc/niginx/sites-available/my_domain
#add_header X-Frame-Options deny always;
add_header X-Frame-Options sameorigin always;
But header part it still showing X-Frame-Options DENY
Here is the Screen shot:
How can i change this?
Try:
add_header X-Frame-Options "SAMEORIGIN";
and restart Nginx. I tested "add_header X-Frame-Options SAMEORIGIN always;" and Nginx error log reports:
invalid number of arguments in "add_header" directive in ...
Using nginx, I have an html file served at sub.example.com which needs to get its json data from example.com
But the json is not loaded. Instead, in Chrome browser I get:
The 'Access-Control-Allow-Origin' header has a value 'https://example.com' that is not equal to the supplied origin. Origin 'http://sub.example.com' is therefore not allowed access.
How can I fix this?
You need to set CORS headers on your example.com server to allow the domain sub.example.com to use this resource, for example:
Access-Control-Allow-Origin
add_header Access-Control-Allow-Origin "https://sub.example.com" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
OR
add_header Access-Control-Allow-Origin "https://*.example.com" always;
add_header Access-Control-Allow-Headers "Origin, Content-Type, Accept" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, OPTIONS, DELETE" always;
You need to set it in a server that handles the Json. You can allow * in CORS, but it isn't recommended.