CORs whitelist not applying in App Platform (Nodejs server)?

I have an Apollo GraphQL server w/ Express as the middleware. I have enabled cors as specified in the docs:

const app = express();
app.use(cors({ origin: "*" }));

const server = new ApolloServer({

  path: "/graphql",

const httpServer = http.createServer(app);

After the app successfully launches, I verify that I can indeed navigate to the GraphQL playground at /graphql and execute a query.

However, when I try to perform requests from my React Native app, I get a CORS error:

Access to fetch at '' from origin 'http://localhost:19006' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: Redirect is not allowed for a preflight request.

I have added both of the following to the CORS policy: http://localhost Prefix http://localhost:19006 Exact

Submit an answer

This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Sign In or Sign Up to Answer

These answers are provided by our Community. If you find them useful, show some love by clicking the heart. If you run into issues leave a comment, or add your own answer to help others.

Want to learn more? Join the DigitalOcean Community!

Join our DigitalOcean community of over a million developers for free! Get help and share knowledge in Q&A, subscribe to topics of interest, and get courses and tools that will help you grow as a developer and scale your project or business.

Hello @richardwu

In App Platform, we only support “allow_origins” however “allow_headers” and “allow_methods” are not yet supported. You would need “allow_headers” to allow the “authorization” header to go through. The error message is due to the header is not allowed in a preflight request. The preflight request itself has a ‘Content-Type’ header which would be incorrect. That header would go in the follow-up request. As for using your own middleware (Express), is it possible to clear the CORS origins from your app configuration then we’ll pass the request directly through to the user.

In this case, I would recommend you to delete the CORS settings from the app config via cloud panel then you should manage the preflight request/headers without any issue via middleware.

Best, Dikshith