Support » Fixing WordPress » Proper status code on preflight OPTIONS request

  • uamv


    I’m attempting to query my WordPress site via the REST API by fetching from javascript. To handle authentication, I have installed the JWT Auth plugin. I am able to successfully generate and return an access token. However, when I attempt to use that access token for future requests, the preflight OPTIONS request encounters a 403 Forbidden status code. A 200 Okay is needed to proceed with the request. I expect this is something in the configuration of my WordPress site or, more likely, in the server on which it is hosted. I expect WordPress or the JWT Auth plugin should be handling this response properly, but that may not be. Full response and request headers are below.

    I’ve been scouring the internet for fixes to this and haven’t been able to locate any good direction on how to proceed. Any assistance or thoughts will be appreciated. Thanks!

    Note: I realize this endpoint doesn’t need authentication, but others I plan to hit will.


    Request URL: https://[redacted].com/wp-json/wp/v2/posts
    Request Method: OPTIONS
    Status Code: 403 Forbidden
    Remote Address: #.#.#.#:443
    Referrer Policy: strict-origin-when-cross-origin

    Response Headers:
    Access-Control-Allow-Credentials: true
    Access-Control-Allow-Headers: Authorization, Content-Type
    Access-Control-Allow-Methods: OPTIONS, GET, POST, PUT, PATCH, DELETE
    Access-Control-Allow-Origin: https://type.test
    Access-Control-Expose-Headers: X-WP-Total, X-WP-TotalPages
    Connection: Keep-Alive
    Content-Length: 110
    Content-Type: application/json; charset=UTF-8
    Date: Fri, 12 Jul 2019 13:59:26 GMT
    Keep-Alive: timeout=5, max=99
    Link: <https://[redacted].com/wp-json/&gt;; rel=”;
    Server: Apache/2.4.29 (Ubuntu)
    Vary: Origin
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex

    Request Headers
    ⚠️ Provisional headers are shown
    Access-Control-Request-Headers: authorization
    Access-Control-Request-Method: GET
    DNT: 1
    Origin: https://type.test
    Referer: https://type.test/
    User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36


    Here’s the error I receive in my console:

    OPTIONS https://[redacted]/wp-json/wp/v2/posts 403 (Forbidden)
    Access to fetch at ‘https://[redacted].com/wp-json/wp/v2/posts&#8217; from origin ‘https://type.test&#8217; has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: It does not have HTTP ok status.

Viewing 3 replies - 1 through 3 (of 3 total)
  • Hello,

    Don’t have an answer for you… just here to say that the WordPress StackOverflow site might be a good place for fairly advanced and developer-focused questions like this.

    Good luck!

    Hope its not too late to post this.
    I encountered the same problem.
    Adding below function to functions.php solved my problem

    add_action( 'init', 'handle_preflight' );
    function handle_preflight() {
    	$origin = get_http_origin();
     	if ( $origin == 'http://localhost:8080' ||	$origin == '') {
    		// You can set more specific domains if you need
        	header("Access-Control-Allow-Origin: " . $origin);
    		header("Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE");
    		header("Access-Control-Allow-Credentials: true");
    		header( 'Access-Control-Allow-Headers: Authorization' );
    		if ( 'OPTIONS' == $_SERVER['REQUEST_METHOD'] ) {

    Hi i have the same error

    WordPress back end JWT authentication
    Android or Apple App

    I have an Endpoint POST

    register_rest_route($this->namespace, ‘/’ . $base.’/crmvalidation’, array(
    ‘methods’ => \WP_REST_Server::CREATABLE,
    ‘callback’ => array( $this, ‘customer_validation’ ),
    ‘permission_callback’ => array( $this, ‘current_user_is_online’ ), //register_user_permissions_check
    ‘args’ => $this->get_endpoint_args_for_item_schema( true ),
    ) );


    the problem is that the first method method to invoke is the OPTIONS not the GET

    • This reply was modified 2 months, 3 weeks ago by guntercn.
Viewing 3 replies - 1 through 3 (of 3 total)
  • You must be logged in to reply to this topic.