I have an app built on laravel and locally it all works fine, but in server it does not work correctly.
The app is hosted on nginx and PUT, POST, DELETE requests are able to send Authorization header to API except for GET request.
Which makes it weird because I know that on apache you need to allow Authorization header and on nginx there is no need for that.
Also I have debugged when I call route Route::get('reports/{amount}','ReportsController@show');
Authorization header does not reach API but it does exist in request header.
And when I change route method to POST:
Route::post('reports/{amount}','ReportsController@show');
the Authorization header reaches API.
This is the server's nginx config:
server {
listen 80;
listen [::]:80;
client_max_body_size 10M;
#add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Frame-Options 'allow-from https://www.someweb.com';
add_header X-Frame-Options 'allow-from https://www.someweb.com';
add_header X-Content-Type-Options nosniff;
add_header 'Referrer-Policy' 'strict-origin';
add_header X-XSS-Protection "1; mode=block";
root /var/www/html;
index index.html index.htm index.nginx-debian.html, index.php;
error_page 404 /404.html;
include snippets/fastcgi-php.conf;
location /security {
alias /var/www/html/security/public;
try_files $uri $uri/ @security;
location ~ \.php$ {
include snippets/fastcgi-php.conf;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_pass unix:/run/php/php7.2-fpm.sock;
}
}
location @security {
rewrite /security/(.*)$ /security/index.php?/$1 last;
}
}
I am not very familiar with nginx but I do not see any exclusion for headers or GET requests. Has anyone came across this problem?
Is there anyway to identify where problem lies? Since my browser has header and API does not get it I assume it is server's fault, but I have no idea how to fix it.
I am almost certain that you have to add it to a list of allow headers that can be received in your nginx config..
I am almost in the same boat as you so I will probably have same issue but as it stands I know in my Dev that allowHeaders is set to wildcard.
You might also have to list
add_header Access-Control-Allow-Methods "GET POST DELETE OPTIONS";
or use *?