Fixed PHP CORS Error: Header Authorization Is Not Allowed According To Header

This Page Contains information about Fixed PHP CORS Error: Header Authorization Is Not Allowed According To Header By edw in category PHP with 0 Replies. [5302], Last Updated: Sat Dec 27, 2025

edw

Sun Mar 31, 2024

0 Comments

1210 Visits

UPDATE: 12/27/2025 - Kept getting this error from a react app on http:localhost:5173 to xampp php5 using https. I added https to vitejs and still getting the same error. I was using axios. Weird because on oinic app also using axios and it worked on port 8001. The only thing that worked was instead of using axios, i used fetch and it worked. I was able to not get CORS errors anymore.

CORS FAILED
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://localhost/webune/quiz/api. (Reason: CORS header ‘Access-Control-Allow-Origin’ missing). Status code: 301.

Another solution I found that I had this endpoint using POST without a slash at the end. Weird!!!!

https://localhost/quiz/api - NOT WORKED
https://localhost/quiz/api/ - YES WORKED

FIX: Google AI

Changed from:

//if (!$Debug) {
    header("Access-Control-Allow-Origin: *");
    // if($_POST['webuneDebug']) header("Access-Control-Allow-Methods: GET");
    header("Access-Control-Allow-Methods: *");
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Max-Age: 3600");
    header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
    header("Content-Type: application/json; charset=UTF-8");
//}

TO THIS:

// WORKS WITH REACT APP on localhost:5173
// 1. Handle the Preflight (OPTIONS) request
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    // Allow any origin, or replace * with your specific domain for security
    //header("Access-Control-Allow-Origin: https://localhost:5173");// WORDS
    header("Access-Control-Allow-Origin: *");
    // Allow specific methods Axios might use
    header("Access-Control-Allow-Methods: POST, GET, OPTIONS, DELETE, PUT");
    // Allow the headers Axios sends (like Content-Type and Authorization)
    header("Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With");
    // Exit immediately after sending preflight headers
    exit(0);
}

// 2. Add headers for the actual GET/POST request that follows
// header("Access-Control-Allow-Origin: https://localhost:5173");// WORDS
header("Access-Control-Allow-Origin: *");
header("Content-Type: application/json; charset=UTF-8");

To fix the following errors: Add these headers for an API. I was testing this from a React/Vite App with PHP on the backend for API. Multiple Solutions:

source: /f/apachefriends/xampp/htdocs/webune/quiz/api

Solution 1:

    header("Access-Control-Allow-Origin: https://localhost:5174");
    header("Access-Control-Allow-Methods: POST");
    header("Access-Control-Allow-Credentials: true");
    header("Access-Control-Max-Age: 3600");
    header("Access-Control-Allow-Headers: Content-Type, Access-Control-Allow-Headers, Authorization, X-Requested-With");
    header("Content-Type: application/json; charset=UTF-8");

With Multiple ORGINS:

    $http_origin = $_SERVER['HTTP_ORIGIN'];

    if ($http_origin == "https://localhost:5174" || $http_origin == "https://xxxxx.pages.dev")
    {  
        header("Access-Control-Allow-Origin: $http_origin");
    }

Solution 2:

    // Decide if the origin in $_SERVER['HTTP_ORIGIN'] is one
    // you want to allow, and if so:
    header("Access-Control-Allow-Origin: https://localhost:5174");
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');    // cache for 1 day
// Access-Control headers are received during OPTIONS requests
if ($_SERVER['REQUEST_METHOD'] == 'OPTIONS') {

    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_METHOD']))
        header("Access-Control-Allow-Methods: GET, POST, PUT, PATCH, OPTIONS");

    if (isset($_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']))
        header("Access-Control-Allow-Headers: {$_SERVER['HTTP_ACCESS_CONTROL_REQUEST_HEADERS']}");
    die('OK!');
}

Source: https://stackoverflow.com/a/76490575

The console errors were:

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/quiz/api/. (Reason: expected ‘true’ in CORS header ‘Access-Control-Allow-Credentials’).
2
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/quiz/api/. (Reason: CORS request did not succeed). Status code: (null).

Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at http://localhost/quiz/api/. (Reason: CORS request did not succeed). Status code: (null).

Reason: header ‘authorization’ is not allowed according to header ‘Access-Control-Allow-Headers’ from CORS preflight response)

Solution 3

php with axios = error: cors preflight did not succeed

Solution: https://stackoverflow.com/a/55392661

React Play Audio Component For React Application Mp3 Button

Fixed PHP CORS Error: Header Authorization Is Not Allowed According To Header

PREVIOUS POST:

Solution 1:

With Multiple ORGINS:

Solution 2:

Related Pages