Environment variables for REST API and GraphQL headers for Adobe Commerce Cloud

[git-hari-j]

Can someone paste a few working examples of the headers required for Adobe Commerce Cloud? I tried all options below but am still getting the CORS error while

CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOW_CREDENTIALS: 1
CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOWED_METHODS: GET, POST, OPTIONS, HEAD
CONFIG__DEFAULT__WEB__GRAPHQL__CORS_ALLOWED_METHODS: GET, POST, OPTIONS, HEAD
CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOWED_ORIGIN: *
CONFIG__DEFAULT__WEB__GRAPHQL__CORS_ALLOWED_ORIGIN: *

[damienwebdev]

those look correct to me.

I've confirmed that this works:

CONFIG__DEFAULT__WEB__GRAPHQL__CORS_ALLOWED_HEADERS='content-type, store, authorization, x-magento-cache-id, x-recaptcha'

[git-hari-j]

Thank you for your time and response.

I've created the following 5 environment variables in the cloud console and verified that these reflect in the cloud using the 'env' command.

CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOW_CREDENTIALS: 1
CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOWED_METHODS: GET, POST, OPTIONS, HEAD
CONFIG__DEFAULT__WEB__GRAPHQL__CORS_ALLOWED_METHODS: GET, POST, OPTIONS, HEAD
CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOWED_ORIGIN: *
CONFIG__DEFAULT__WEB__GRAPHQL__CORS_ALLOWED_ORIGIN: *
CONFIG__DEFAULT__WEB__GRAPHQL__CORS_ALLOWED_HEADERS: content-type, store, authorization, x-magento-cache-id, x-recaptcha

However the CORS issue persists

This is my simple jQuery function to test

$(document).ready(function() {
var settings = {
"url": "https://<magento_base_url>/V1/integration/customer/token",
"method": "POST",
"timeout": 0,
"headers": {
"Content-Type": "application/json"
},
"data": JSON.stringify({
"username": ,
"password":
}),
};

returns a CORS error in the Network tab (developer tools) of the browser. The 'OPTIONS' call goes through, but the 'POST' fails

Can you please suggest the next steps to debug?

[damienwebdev]

Can you Copy as cURL the request being sent from the network tab along with the response received for both the Options and Post request?

Additionally, if there's an error in your browser's console, can you post that as well?

[git-hari-j]

Here is the OPTIONS request.
curl 'https://<magento_base_url>/V1/integration/customer/token'
-X 'OPTIONS'
-H 'Accept: /'
-H 'Accept-Language: en-US,en;q=0.9'
-H 'Access-Control-Request-Headers: content-type,store'
-H 'Access-Control-Request-Method: POST'
-H 'Cache-Control: no-cache'
-H 'Connection: keep-alive'
-H 'Origin: null'
-H 'Pragma: no-cache'
-H 'Sec-Fetch-Dest: empty'
-H 'Sec-Fetch-Mode: cors'
-H 'Sec-Fetch-Site: cross-site'
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'

The response is a HTTP Code 200

Here is the POST request that runs after the OPTIONS request
curl 'https://<magento_base_url>/V1/integration/customer/token'
-H 'sec-ch-ua-platform: "macOS"'
-H 'Referer;'
-H 'sec-ch-ua: "Google Chrome";v="135", "Not-A.Brand";v="8", "Chromium";v="135"'
-H 'Store: tmo_view'
-H 'sec-ch-ua-mobile: ?0'
-H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/135.0.0.0 Safari/537.36'
-H 'Accept: /'
-H 'Content-Type: application/json'
--data-raw '{"username":<user_id>,"password":}'
The response is a HTTP Code "CORS Error"

Console log:
Access to XMLHttpRequest at 'https:/<magento_url>/V1/integration/customer/token' from origin 'null' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

[damienwebdev]

@git-hari-j please post the response headers of both requests. your error indicates that the post request would never be run since preflight request doesn't pass access control check.

[git-hari-j]

You are right:

OPTIONS response headers
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Fri, 11 Apr 2025 17:25:06 GMT
Strict-Transport-Security: max-age=0
Traceresponse: 00-1835538f942e4164ed4945d121e110a9-5dd5eb7c5d6e35bf-01
Vary: Origin
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Debug-Info: eyJyZXRyaWVzIjowfQ==
X-Frame-Options: SAMEORIGIN
X-Magento-Cloud-Cluster: qslkp4psgn6ta-demo-fklvc3a
X-Magento-Cloud-Processor: ue4kwwaprzfnxlrizoi42w7cby
X-Magento-Cloud-Router: 4e2gpy6hkfyshsinjqzn2p7ov4
X-Robots-Tag: noindex, nofollow
X-Xss-Protection: 1; mode=block
Content-Length: 20

The POST reponse headers are blank

[damienwebdev]

I think the issue is two separate things:

CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOWED_ORIGIN: *
CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOW_CREDENTIALS: 1
CONFIG__DEFAULT__WEB__API__REST__CORS_ALLOWED_METHODS: GET, POST, OPTIONS, HEAD

should be:

CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOWED_ORIGIN: *
CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOW_CREDENTIALS: 1
CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOWED_METHODS: GET, POST, OPTIONS, HEAD

Specifically, API__REST should be API_REST. You only need 1 underscore here.

Additionally, from your request headers, you also need: CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOW_HEADERS

CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOW_HEADERS: content-type, store

[git-hari-j]

Hi Damien,

Still the same issue. I've attached a snapshot of the actual variable used on th commerce cloud instance. Does it help in further debugging?

After adding the above variables. OPTIONS is HTTP 200 and the reponse headers are below
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sat, 12 Apr 2025 16:22:42 GMT
Strict-Transport-Security: max-age=0
Traceresponse: 00-18359ebc51e277529afc9f417ed73767-a2717e1312a36b1e-01
Vary: Origin
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Debug-Info: eyJyZXRyaWVzIjowfQ==
X-Frame-Options: SAMEORIGIN
X-Magento-Cloud-Cluster: qslkp4psgn6ta-demo-fklvc3a
X-Magento-Cloud-Processor: ue4kwwaprzfnxlrizoi42w7cby
X-Magento-Cloud-Router: 4e2gpy6hkfyshsinjqzn2p7ov4
X-Robots-Tag: noindex, nofollow
X-Xss-Protection: 1; mode=block
Content-Length: 20

POST Response headers are blank with a CORS Error

[damienwebdev]

I tried a simple request in my local environment:

curl --location --request OPTIONS 'https://localhost:59128/rest/default/V1/directory/currency' \
--header 'Origin: http://localhost:4200' 

I used the env settings:

CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOWED_ORIGIN: *
CONFIG__DEFAULT__WEB__API_REST__CORS_ALLOWED_METHODS: GET, POST, OPTIONS

And my response headers were:

HTTP/2 200 
access-control-allow-methods: GET,POST,OPTIONS
access-control-allow-origin: *
access-control-max-age: 86400
age: 0
cache-control: no-store, no-cache, must-revalidate, max-age=0
content-type: text/html; charset=UTF-8
date: Tue, 15 Apr 2025 20:06:34 GMT
expires: -1
pragma: no-cache
server: nginx/1.16.1
vary: Accept-Encoding, Origin
via: 1.1 exampleproject-varnish (Varnish/7.5)
x-cache: MISS
x-cache-hits: 0
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-powered-by: PHP/8.3.20
x-varnish: 1966143
x-xss-protection: 1; mode=block
content-length: 0

[git-hari-j]

Just FYI. Even after making all changes suggested, nothing worked. I then updated the app/etc/env.php on the cloud instance with the following
.....
'system' => [
'default' => [
'catalog' => ['search' => ['engine' => 'opensearch', 'opensearch_server_hostname' => 'http: //opensearch.internal', 'opensearch_server_port' => 9200]],
'web' => [
'graphql' => [
'cors_allowed_origins' => '',
'cors_allowed_methods' => 'GET, POST, OPTIONS',
'cors_allowed_headers' => 'content-type, store, authorization, x-magento-cache-id, x-recaptcha',
'cors_max_age' => '86400',
'cors_allow_credentials' => 1,
],
'api_rest' => [
'cors_allowed_origins' => '',
'cors_allowed_methods' => 'GET, POST, OPTIONS',
'cors_allowed_headers' => 'content-type, store, authorization, x-magento-cache-id, x-recaptcha',
'cors_max_age' => '86400',
'cors_allow_credentials' => 1,
],
],
],
],
...
The ran bin/magento app:config:import on the cloud server after logging into SSH. Only then the CORS issue was resolved.