handling CORS preflight request in Apache

Question

I have a AngularJS app deployed using Yeoman. Cakephp RESTful backend.

The Angular app sends in OPTIONS preflight requests, which the backend responds with forbidden

Answer 1

Add this to your .htaccess file to your apache root directory:

Header add Access-Control-Allow-Origin "*"
Header add Access-Control-Allow-Headers "origin, x-requested-with, content-type"
Header add Access-Control-Allow-Methods "PUT, GET, POST, DELETE, OPTIONS"

Make sure to activate the apache module headers:

a2enmod headers

Source: https://stackoverflow.com/a/11691776/1494875

Answer 2

I had the same question and the answer given does not solve the problem.

By looking around more I found you could do this using the rewrite, e.g:

RewriteEngine On                  
RewriteCond %{REQUEST_METHOD} OPTIONS 
RewriteRule ^(.*)$ $1 [R=200,L]    

(make sure you enable the rewrite mod)

Then you should use, the "always set" to set the headers, e.g:

Header always set Access-Control-Allow-Origin "*"                   
Header always set Access-Control-Allow-Methods "POST, GET, OPTIONS"

Explanations here: https://serverfault.com/questions/231766/returning-200-ok-in-apache-on-http-options-requests

Answer 3

If it helps - I was using authentication so I also had to add following to make POST request work for me:

<LimitExcept OPTIONS>
  Require valid-user 
</LimitExcept>