DigitalOcean

Report this

What is the reason for this report?
Question

CORs whitelist not applying in App Platform (Nodejs server)?

Posted on March 12, 2021
DigitalOcean App Platform
Node.js
richardwu

By richardwu

I have an Apollo GraphQL server w/ Express as the middleware. I have enabled cors as specified in the docs:

const app = express();
app.use(cors({ origin: "*" }));

const server = new ApolloServer({
 ...
});

server.applyMiddleware({
  app,
  path: "/graphql",
});

const httpServer = http.createServer(app);
server.installSubscriptionHandlers(httpServer);

After the app successfully launches, I verify that I can indeed navigate to the GraphQL playground at /graphql and execute a query.

However, when I try to perform requests from my React Native app, I get a CORS error:

Access to fetch at 'http://xxx.ondigitalocean.app:8080/graphql' from origin 'http://localhost:19006' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I have added both of the following to the CORS policy: http://localhost Prefix http://localhost:19006 Exact



This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer
These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.
0
Dikshith Shetty
Dikshith ShettyDigitalOcean Employee badge
March 17, 2021

Hello @richardwu

In App Platform, we only support “allow_origins” however “allow_headers” and “allow_methods” are not yet supported. You would need “allow_headers” to allow the “authorization” header to go through. The error message is due to the header is not allowed in a preflight request. The preflight request itself has a ‘Content-Type’ header which would be incorrect. That header would go in the follow-up request. As for using your own middleware (Express), is it possible to clear the CORS origins from your app configuration then we’ll pass the request directly through to the user.

In this case, I would recommend you to delete the CORS settings from the app config via cloud panel then you should manage the preflight request/headers without any issue via middleware.

Best, Dikshith

Become a contributor for community

Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

Sign Up

DigitalOcean Documentation

Full documentation for every DigitalOcean product.

Learn more

Resources for startups and AI-native businesses

The Wave has everything you need to know about building a business, from raising funding to marketing your product.

Learn more

Get our newsletter

Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

New accounts only. By submitting your email you agree to our Privacy Policy

The developer cloud

Scale up as you grow — whether you're running one virtual machine or ten thousand.

Get started for free

Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

*This promotional offer applies to new accounts only.

© 2026 DigitalOcean, LLC.Sitemap.