CORS errors on all nginx vhosts — missing headers caused customer login failures #1
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Summary
All nginx vhosts (14 frontend domains + auth.bcos.cloud + api.bcos.cloud) were missing CORS headers. This caused browser CORS errors for customers logging in from the desktop browser app and for any cross-origin API call between SPAs.
Root Cause
Each service has its own nginx vhost conf file (analytics.conf, fleet.conf, profile.conf, etc.). None had CORS configuration. Preflight OPTIONS requests were proxied straight to Spring Security, which rejected them with 403 Invalid CORS request if the origin was not in CORS_ALLOWED_ORIGINS.
Additionally, Spring Security was rejecting same-origin form submissions from the Electron auth window because Chromium adds an Origin header on form POSTs, and api.bcos.cloud was not in the allowed origins list.
Fix Applied (2026-06-15)
Nginx is now the single authoritative CORS handler — Spring Security never sees the Origin header.
New files added to nginx conf.d/:
Files patched (added cors_include + OPTIONS 204 to every location block):
api.conf, auth.conf, adoons.conf, analytics.conf, claims.conf, dashboard.conf, devices.conf, fleet.conf, mgmt.conf, messaging.conf, msp.conf, profile.conf, recon.conf, reports.conf, transactions.conf, vault.conf
Impact
Follow-up
These nginx conf files are not in source control. They should be versioned in hiveiq-ops so future vhosts get the CORS pattern from day one. Any new vhost must include cors_include.conf in every location block.