[Fixed]-How to make GET CORS request with authorization header


To pass authorization headers you must set Access-Control-Allow-Credentials to true.

The problem is that, according to specification (MDN explains it simpler), if Access-Control-Allow-Credentials is set to true, Access-Control-Allow-Origin cannot contain *, therefore allowing any hosts making requests with credentials attached.

There are two options to solve this problem:

  • Set Access-Control-Allow-Origin to actual host making requests
  • If there are more than one host: “canonical” way would be to have a whitelist of hosts in application itself, than check Origin header if it’s on the list and adding Origin as Access-Control-Allow-Origin header value.

With Django, check for Origin and adding a header can be made in Middleware, but that would make a decent question on it’s own (and probably have been already asked)


Leave a comment