I have an app built on laravel and locally it all works fine, but in server it does not work correctly.
The app is hosted on nginx and PUT, POST, DELETE requests are able to send Authorization header to API except for GET request.
Which makes it weird because I know that on apache you need to allow Authorization header and on nginx there is no need for that.
Also I have debugged when I call route Route::get('reports/{amount}','ReportsController@show');
Authorization header does not reach API but it does exist in request header.
And when I change route method to POST:
Route::post('reports/{amount}','ReportsController@show'); the Authorization header reaches API.
This is the server's nginx config:
server {
listen 80;
listen [::]:80;
client_max_body_size 10M;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options 'allow-from https://www.someweb.com';
add_header X-Frame-Options 'allow-from https://www.someweb.com';
add_header X-Content-Type-Options nosniff;
add_header 'Referrer-Policy' 'strict-origin';
add_header X-XSS-Protection "1; mode=block";
root /var/www/html;
index index.html index.htm index.nginx-debian.html, index.php;
error_page 404 /404.html;
include snippets/fastcgi-php.conf;
location /security {
alias /var/www/html/security/public;
try_files $uri $uri/ @security;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
location @security {
rewrite /security/(.*)$ /security/index.php?/$1 last;
}
}
I am not very familiar with nginx but I do not see any exclusion for headers or GET requests. Has anyone came across this problem?
Is there anyway to identify where problem lies? Since my browser has header and API does not get it I assume it is server's fault, but I have no idea how to fix it.
