Preflight response is not successful

I’m developing a web application with angular that sends a request to my Azure API. The API is protected by angular. When I call the url in the browser, I get redirected to the microsoft login page. After the login I come back to the API.

Now, I want to send a request to the API from my angular app:

const auth = btoa("[my username]:[my password]");
headers = {"Authorization": "Basic " + auth};

$http.get("http://[webapp name]", {headers: headers}).then(function (response) {

I added the [webapp name] to my CORS in the azure portal.
When I execute this, I get the error:

[Error] Failed to load resource: the server responded with a status of
400 (Bad Request)

[Error] Failed to load resource: Preflight response is not successful

[Error] XMLHttpRequest cannot load http://[webapp name] Preflight response is not successful

Any idea how to fix it?


I tried it again with this code:

const auth = btoa("[my username]:[my password]");
var config = {headers:  {
              'Authorization': 'Basic ' + auth,
              "Origin": "http://[webapp name]",
              "Access-Control-Request-Method": "GET",
              "Access-Control-Request-Headers": "X-Custom-Header"

$http.get("http://[webapp name]", config).then(function (response) {

Now I’m getting these errors:

Refused to set unsafe header “Origin”

Refused to set unsafe header “Access-Control-Request-Method”

Refused to set unsafe header “Access-Control-Request-Headers”

Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested
resource. Origin ‘null’ is therefore not allowed access. The response
had HTTP status code 400

When I delete these “unsafe headers” the last error message is still there.

Why does Origin is null automatically?

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

You should add the address of your requesting site URL in CORS in your Server/Backend code. Each language or framework might have their own way of adding this, try to search “[backend language] cors” (e.g. “C# cors”) in google. (credits to @Gary Liu – MSFT)

You can confirm you have added correct origin by inspecting network tab in developer’s console.

First select the request with method OPTIONS
enter image description here

Then verify the Access-Control-Allow-Origin is the same with your Origin
enter image description here

Solution 2

How about setting up a proxy instead?


  "/api/contacts" : {
    "target": "http://{{webapp name}}",
    "secure": "false,
    "changeOrigin": true,
    "pathRewrite": {
      "^/api/contacts/": ""

You can find more details on

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply