CORS error when trying to POST data from a webform (other domain) to the API


  • Used Zammad version: 6.0.0
  • Used Zammad installation type: Package
  • Operating system: Debian 11
  • Browser + version: Microsoft Edge 115.0.1901.203 / Google Chrome 116.0.5845.96

Actual behavior:

  • the console is throwing the following error:
    Access to fetch at '' from origin '' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Steps to reproduce the behavior:

Where can i put the config (Access-Control-Allow-Origin), to send the data from another domain to the API?

1 Like

If you didn’t resolve it, you need to modify the file called sets_headers.rb

Inside both def(set_access_control_headers_execute && cors_preflight_check) add the ‘Authorization’ inside the headers[‘Access-Control-Allow-Headers’] and should look like this:

headers['Access-Control-Allow-Headers']     = 'Content-Type, Depth, User-Agent, X-File-Size, X-Requested-With, If-Modified-Since, X-File-Name, Cache-Control, Accept-Language, Authorization'