·
22 commits
to master
since this release
Preflight requests are sent by browsers without credentials. If an API doesn't have an authentication exemption (key-based) for OPTIONS requests, they will never succeed.
We disable api key requirement for all OPTIONS requests. This behaviour can be overridden on a per api basis by setting sub request rules.
We also add Access-Control-Allow-Headers: x-api-key to allow the actual authenticated request to go through. If more headers need to be whitelisted, a sub request rule can be set as appropriate.