CORS issue for published REST service

I have a microflow which I have published as a REST service with PUT method. On click on some button, I am performing two actions- Calling a nanoflow which internally executes JS action. In that JS action, I call my REST service. As nanoflow can not call microflow, and vice versa, I had to use XTTPRequest from JS to call my PUT method API.  But I am not able to call this API . Error i am getting in browse  console : OPTIONS http://localhost:8080/rest/addproducttorecent/v1/Product net::ERR_ABORTED 405 (Method Not Allowed) Access to XMLHttpRequest at 'http://localhost:8080/rest/addproducttorecent/v1/Product' from origin '' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: It does not have HTTP ok status. Seems like java script action calls my REST service with ‘OPTIONS’ method instead of ‘PUT’ method first. I have set option ‘Enable CORS’ as true in properties of published RESt service. What could be the solution here?
3 answers

Hi Rushikesh,

When making rest calls in javascript the server has to respond to the preflight request (options method) with the correct headers (to authorize the browser) before the rest call can continue with the method that you are trying to use.

The header that you need is:


and sometimes you need a couple more if you want to use cookies. More info can be found here:

In your published rest service you can create an operation for the “OPTIONS” request. Add that to your published service and create a microflow that creates the access-control-allow-origin header with the value of the url that you are access it from (or you can use an * but be cautious of using the wild card).

Here is an example:



Hope this helps!




You might want to use Mendix 8.1.

In the release notes, it says: “We changed the behavior of OPTIONS requests to published REST services. Authentication is no longer required when you define an OPTIONS microflow. In addition, when CORS is checked, you no longer need an OPTIONS microflows; the service will respond to OPTIONS requests with CORS headers.“


The Same Origin Policy (SOP) is a security measure standardized among browsers. It is needed to prevent Cross-Site Request Forgery (CSRF). The "Origin" mostly refers to a "Domain". Same Origin Policy prevents different origins (domains) from interacting with each other, to prevent attacks such as CSRF (Cross Site Request Forgery) through such requests, like AJAX. In other words, the browser would not allow any site to make a request to any other site. Without Same Origin Policy , any web page would be able to access the DOM of other pages.

This SOP (Same Origin Policy) exists because it is too easy to inject a link to a javascript file that is on a different domain. This is actually a security risk ; you really only want code that comes from the site you are on to execute and not just any code that is out there.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999