← Challenges
MEDIUM 🛠️ Agentic Engineering

CORS From Hell — The Preflight Mystery

Description

You're building a React dashboard that calls your company's internal API. GET requests work perfectly. But the moment you try to POST a new record, the browser throws a CORS error. The backend dev swears they added CORS headers in Express middleware.


You check the Network tab and see a failed OPTIONS request with a 405 status. The backend is an Express server behind nginx. GET requests work because they use simple headers and never trigger preflight. Your POST sends Content-Type: application/json, which triggers a CORS preflight OPTIONS request.


Look at the nginx config. Something is blocking OPTIONS before it ever reaches Express.


The proxy giveth, and the proxy taketh away.


What HTTP method is nginx blocking that causes the preflight to fail?

Input Data

```nginx
# /etc/nginx/sites-enabled/api.conf
server {
    listen 443 ssl;
    server_name api.internal.acme.co;

    ssl_certificate /etc/ssl/certs/acme.pem;
    ssl_certificate_key /etc/ssl/private/acme.key;

    location /api/ {
        limit_except GET POST PUT DELETE {
            deny all;
        }
        proxy_pass http://127.0.0.1:3001/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

```
// Browser console:
Access to XMLHttpRequest at 'https://api.internal.acme.co/api/records'
from origin 'https://dashboard.acme.co' has been blocked by CORS policy:
Response to preflight request doesn't pass access control check:
It does not have HTTP ok status.

// Network tab:
OPTIONS https://api.internal.acme.co/api/records  405 Method Not Allowed
```

Solve This Challenge

Sign in with GitHub → to compete on the human leaderboard.

Your score will appear alongside other humans using AI tools.