You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Portal B10: apply review learnings to CORS troubleshooting page
- Add sidebarTitle and keywords to frontmatter
- Link PORTAL_CORS_ENABLE, PORTAL_CORS_ALLOW_CREDENTIALS, and
PORTAL_CORS_ALLOWED_ORIGINS in prose to their config reference anchors
- Replace em-dashes in all four accordion titles with restructured phrasing
Copy file name to clipboardExpand all lines: portal/troubleshooting/cors-issues.mdx
+8-6Lines changed: 8 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -1,12 +1,14 @@
1
1
---
2
2
title: "Troubleshoot CORS Issues"
3
+
sidebarTitle: "CORS Issues"
3
4
description: "Diagnose and fix CORS errors in the Tyk Developer Portal and API Playground."
5
+
keywords: "CORS, troubleshooting, Access-Control-Allow-Origin, API Playground, PORTAL_CORS_ENABLE, TT-15960"
4
6
---
5
7
6
8
Cross-origin errors in the Developer Portal arise from two independent layers: the Portal application itself and the Tyk Gateway APIs that the API Playground calls directly. Identify which layer is failing before applying a fix.
7
9
8
10
<AccordionGroup>
9
-
<Accordiontitle="Browser blocks responses from the Portal — Access-Control-Allow-Origin header missing">
11
+
<Accordiontitle="Access-Control-Allow-Origin header missing from Portal responses">
10
12
**Symptom**
11
13
12
14
Requests from your application to the Portal Admin API or Live Portal routes fail. The browser console shows:
@@ -19,14 +21,14 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t
19
21
20
22
**Cause**
21
23
22
-
`PORTAL_CORS_ENABLE` is `false` (the default). The Portal's CORS middleware is disabled, so no `Access-Control-Allow-Origin` header is added to any response and `OPTIONS` preflight requests fall through to the router with no matching handler.
24
+
[PORTAL_CORS_ENABLE](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-enable) is `false` (the default). The Portal's CORS middleware is disabled, so no `Access-Control-Allow-Origin` header is added to any response and `OPTIONS` preflight requests fall through to the router with no matching handler.
23
25
24
26
**Fix**
25
27
26
28
Enable Portal CORS and set your allowed origins. See [Configure Portal Application CORS](/portal/how-to-guides/configure-cors#configure-portal-application-cors).
27
29
</Accordion>
28
30
29
-
<Accordiontitle="API Playground requests fail — 401 Unauthorized or missing CORS headers from Gateway">
31
+
<Accordiontitle="API Playground requests fail with 401 Unauthorized or missing CORS headers">
30
32
**Symptom**
31
33
32
34
Test requests in the API Playground fail. The browser console shows one of:
@@ -46,7 +48,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t
46
48
Configure CORS on the API definition and add your Portal URL to the allowed origins. See [Configure Gateway CORS for APIs](/portal/how-to-guides/configure-cors#configure-gateway-cors-for-apis).
47
49
</Accordion>
48
50
49
-
<Accordiontitle="403 Forbidden on OPTIONS preflight — Gateway v5.8.6–v5.8.13 regression (TT-15960)">
51
+
<Accordiontitle="403 Forbidden on OPTIONS preflight in Gateway v5.8.6–v5.8.13 (TT-15960)">
50
52
**Symptom**
51
53
52
54
API Playground requests fail on Gateway versions v5.8.6 through v5.8.13, even when CORS is correctly configured and the Portal origin is in `allowed_origins`. The browser console shows:
@@ -74,7 +76,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t
74
76
Upgrade Tyk Gateway to v5.8.14 or later, where the middleware ordering is corrected.
75
77
</Accordion>
76
78
77
-
<Accordiontitle="Browser CORS error — credentials rejected with wildcard origin">
79
+
<Accordiontitle="CORS error: wildcard origin rejected when credentials are enabled">
78
80
**Symptom**
79
81
80
82
Credentialed cross-origin requests to the Portal fail. The browser console shows:
@@ -85,7 +87,7 @@ Cross-origin errors in the Developer Portal arise from two independent layers: t
85
87
86
88
**Cause**
87
89
88
-
`PORTAL_CORS_ALLOW_CREDENTIALS=true` is set alongside `PORTAL_CORS_ALLOWED_ORIGINS=*`. The Portal's CORS library (`rs/cors`) does not reject this combination at startup — it returns both `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true` in the response. The CORS specification forbids this combination, so the browser rejects the response.
90
+
[PORTAL_CORS_ALLOW_CREDENTIALS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allow-credentials)=true is set alongside [PORTAL_CORS_ALLOWED_ORIGINS](/product-stack/tyk-enterprise-developer-portal/deploy/configuration#portal-cors-allowed-origins)=*. The Portal's CORS library (`rs/cors`) does not reject this combination at startup — it returns both `Access-Control-Allow-Origin: *` and `Access-Control-Allow-Credentials: true` in the response. The CORS specification forbids this combination, so the browser rejects the response.
0 commit comments