Title: Proper status code on preflight OPTIONS request Last modified: July 17, 2019 --- # Proper status code on preflight OPTIONS request * [uamv](https://wordpress.org/support/users/uamv/) * (@uamv) * [6 years, 10 months ago](https://wordpress.org/support/topic/proper-status-code-on-preflight-options-request/) * I’m attempting to query my WordPress site via the REST API by fetching from javascript. To handle authentication, I have installed the [JWT Auth plugin](https://github.com/WP-API/jwt-auth). I am able to successfully generate and return an access token. However, when I attempt to use that access token for future requests, the preflight OPTIONS request encounters a `403 Forbidden` status code. A `200 Okay` is needed to proceed with the request. I expect this is something in the configuration of my WordPress site or, more likely, in the server on which it is hosted. I expect WordPress or the JWT Auth plugin should be handling this response properly, but that may not be. Full response and request headers are below. * I’ve been scouring the internet for fixes to this and haven’t been able to locate any good direction on how to proceed. Any assistance or thoughts will be appreciated. Thanks! * _Note: I realize this endpoint doesn’t need authentication, but others I plan to hit will._ * —– * **General:** Request URL: [https://[redacted].com/wp-json/wp/v2/posts](https://[redacted].com/wp-json/wp/v2/posts) Request Method: OPTIONS Status Code: 403 Forbidden Remote Address: #.#.#.#:443 Referrer Policy: strict-origin-when-cross-origin * **Response Headers:** Access-Control-Allow-Credentials: true Access-Control- Allow-Headers: Authorization, Content-Type Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE Access-Control-Allow-Origin: [https://type.test](https://type.test) Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages Connection: Keep-Alive Content-Length: 110 Content-Type: application/json; charset=UTF-8 Date: Fri, 12 Jul 2019 13:59:26 GMT Keep-Alive: timeout=5, max=99 Link: <[https://[redacted].com/wp-json/>](https://[redacted].com/wp-json/>);; rel=”[https://api.w.org/”](https://api.w.org/”); Server: Apache/2.4.29( Ubuntu) Vary: Origin X-Content-Type-Options: nosniff X-Robots-Tag: noindex * **Request Headers** ⚠️ Provisional headers are shown Access-Control-Request- Headers: authorization Access-Control-Request-Method: GET DNT: 1 Origin: [https://type.test](https://type.test) Referer: [https://type.test/](https://type.test/) User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36 * —– * Here’s the error I receive in my console: * > OPTIONS [https://[redacted]/wp-json/wp/v2/posts](https://[redacted]/wp-json/wp/v2/posts) > 403 (Forbidden) > Access to fetch at ‘[https://[redacted].com/wp-json/wp/v2/posts’](https://[redacted].com/wp-json/wp/v2/posts’); > from origin ‘[https://type.test’](https://type.test’); has been blocked > by CORS policy: Response to preflight request doesn’t pass access control check: > It does not have HTTP ok status. Viewing 3 replies - 1 through 3 (of 3 total) * [George Appiah](https://wordpress.org/support/users/gappiah/) * (@gappiah) * [6 years, 9 months ago](https://wordpress.org/support/topic/proper-status-code-on-preflight-options-request/#post-11774558) * Hello, * Don’t have an answer for you… just here to say that the WordPress StackOverflow site might be a good place for fairly advanced and developer-focused questions like this. * [https://wordpress.stackexchange.com/](https://wordpress.stackexchange.com/) * Good luck! * [Praveen Kalaiarasu](https://wordpress.org/support/users/pravnkay/) * (@pravnkay) * [6 years, 5 months ago](https://wordpress.org/support/topic/proper-status-code-on-preflight-options-request/#post-12234529) * Hope its not too late to post this. I encountered the same problem. Adding below function to functions.php solved my problem * ``` add_action( 'init', 'handle_preflight' ); function handle_preflight() { $origin = get_http_origin(); if ( $origin == 'http://localhost:8080' || $origin == 'https://yourapp.firebaseapp.com') { // You can set more specific domains if you need header("Access-Control-Allow-Origin: " . $origin); header("Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE"); header("Access-Control-Allow-Credentials: true"); header( 'Access-Control-Allow-Headers: Authorization' ); if ( 'OPTIONS' == $_SERVER['REQUEST_METHOD'] ) { status_header(200); exit(); } } } ``` * [guntercn](https://wordpress.org/support/users/guntercn/) * (@guntercn) * [6 years, 3 months ago](https://wordpress.org/support/topic/proper-status-code-on-preflight-options-request/#post-12340643) * Hi i have the same error * Wordpress back end JWT authentication Android or Apple App * I have an Endpoint POST * register_rest_route($this->namespace, ‘/’ . $base.’/crmvalidation’, array( array( ‘methods’ => \WP_REST_Server::CREATABLE, ‘callback’ => array( $this, ‘ customer_validation’ ), ‘permission_callback’ => array( $this, ‘current_user_is_online’),// register_user_permissions_check ‘args’ => $this->get_endpoint_args_for_item_schema( true ), ), ) ); * ———– * the problem is that the first method method to invoke is the OPTIONS not the GET - This reply was modified 6 years, 3 months ago by [guntercn](https://wordpress.org/support/users/guntercn/). Viewing 3 replies - 1 through 3 (of 3 total) The topic ‘Proper status code on preflight OPTIONS request’ is closed to new replies. ## Tags * [api](https://wordpress.org/support/topic-tag/api/) * [authentication](https://wordpress.org/support/topic-tag/authentication/) * [jwt](https://wordpress.org/support/topic-tag/jwt/) * [request](https://wordpress.org/support/topic-tag/request/) * [rest](https://wordpress.org/support/topic-tag/rest/) * In: [Fixing WordPress](https://wordpress.org/support/forum/how-to-and-troubleshooting/) * 3 replies * 2 participants * Last reply from: [guntercn](https://wordpress.org/support/users/guntercn/) * Last activity: [6 years, 3 months ago](https://wordpress.org/support/topic/proper-status-code-on-preflight-options-request/#post-12340643) * Status: not resolved ## Topics ### Topics with no replies ### Non-support topics ### Resolved topics ### Unresolved topics ### All topics