Access-Control-Allow-Headers

[phpcodingmaster]

Can someone please help me?
My API uses the below:

app()->cors([
"origin" => "",
"credentials" => true,
"preflightContinue" => true,
"allowedHeaders" => "",
"methods" => "GET,HEAD,PUT,PATCH,POST,DELETE",
]);

But when I do a request with axios I get the error below

xxxxx from origin 'http://localhost:5173/' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

[phpcodingmaster]

I have added the below and everything seems to work.

header("Access-Control-Allow-Origin: http://localhost:5173");
header("Access-Control-Expose-Headers: Content-Length, X-JSON");
header("Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE, OPTIONS");
header("Access-Control-Allow-Headers: Authorization, Content-Type, Accept, Origin, Referer, Host, Content-Length, Connection, Referer");
header("Access-Control-Allow-Credentials: true");

But, now not using the CORS Module of Leaf anymore.
At first it did not work with Access-Control-Allow-Origin: *) wildcart. I have changed the origin in the cors module to "http://localhost:5173" instead of wildcart, but still had the same issue.

Ideally I would like to use the CORS module instead, but if I set allowHeaders to * it does not work.
Could you maybe check if allowHeaders is = * that it is like the below by default. Even using array to specify the below does not work.

header("Access-Control-Allow-Headers: Authorization, Content-Type, Accept, Origin, Referer, Host, Content-Length, Connection, Referer");

[mychidarko]

Hi @phpcodingmaster can you pls share a screenshot of the non-sensitve response headers you get back using the header() vs the one you get back when you use app()->cors().