Access-Control-Max-Age being removed

[jordanfinners]

Issue Setting custom headers on my azure functions, all appear except from Access-Control-Max-Age, which i want to set to reduce the number of options requests being made as I'm using fetch across origins.

{
    'Access-Control-Allow-Origin': 'https://www.fittr.pro',
    'Access-Control-Allow-Methods': 'GET, POST, PUT, OPTIONS, DELETE',
    'Access-Control-Allow-Headers': 'Content-Type, Authorization',
    'Access-Control-Max-Age': '7200',
    'Vary': 'Origin, Accept-Encoding',
    // https://helmetjs.github.io/docs/dont-sniff-mimetype/
    'X-Content-Type-Options': 'nosniff',
    // https://helmetjs.github.io/docs/hsts
    // Max Age be at least 18 weeks to be approved by Google
    // Sub domains must be enabled to be approved by Google
    'Strict-Transport-Security': 'max-age=10886400; includeSubDomains; preload',
    // https://helmetjs.github.io/docs/referrer-policy
    'Referrer-Policy': 'same-origin',
    // https://helmetjs.github.io/docs/dns-prefetch-control/
    'X-DNS-Prefetch-Control': 'off',
    'Content-Security-Policy': constructContentSecurityPolicyHeader(),
    // https://helmetjs.github.io/docs/xss-filter/
    'X-XSS-Protection': '1; mode=block',
    'Content-Type': 'application/json; charset=utf-8',
    // https://scotthelme.co.uk/a-new-security-header-feature-policy/
    'Feature-Policy': 'accelerometer \'none\'; camera \'none\'; geolocation \'none\'; gyroscope \'none\';'
      + ' magnetometer \'none\'; microphone \'none\'; payment \'none\'; usb \'none\'',
  }

And here is the response headers I'm seeing (copied from Chrome)

access-control-allow-credentials: true
access-control-allow-origin: https://www.fittr.pro
content-encoding: gzip
content-length: 123
content-security-policy: default-src 'self';...
content-type: application/json; charset=utf-8
date: Thu, 18 Jul 2019 17:56:40 GMT
feature-policy: accelerometer 'none'; camera 'none'; geolocation 'none'; gyroscope 'none'; magnetometer 'none'; microphone 'none'; payment 'none'; usb 'none'
referrer-policy: same-origin
status: 200
strict-transport-security: max-age=10886400; includeSubDomains; preload
vary: Origin, Accept-Encoding,Accept-Encoding
x-content-type-options: nosniff
x-dns-prefetch-control: off
x-xss-protection: 1; mode=block

As you can see the access-control-max-age header isn't being returned. The access-control-allow-credentials is being set by the CORS setting in the azure portal.

It appears that something between my code and the response is stripping out some access-control headers.

Tech

• Azure Functions V2
  • Language: JavaScript

Expected Can set the Access-Control-Max-Age header

Thank you in advance :)

[ColbyTresness]

@mhoeger to take a look

[jordanfinners]

Thank you! Let me know if you need anymore info 😊

[code-with-kunalk]

Was this issue solved for you @jordanfinners ?

[jordanfinners]

Was this issue solved for you @jordanfinners ?

No the max age header still gets removed.

[prabhakarreddy1234]

Is it fixed ? I still see the header being removed.

[acd-hfi]

This is still a problem. The headers seem be set, however, if you remove all CORS origins from the portal. It seems like the options are to handle all of the CORS headers in code or handle them all through the portal, but never a mix of the two.

[baybal]

It's 2022, and we are leaving Azure functions for AWS

[Ben-Ruben]

Was looking for a solution for setting the 'Access-Control-Max-Age' in my function, this still doesn't seem possible when using the CORS settings from the portal, is this correct and if so, is there any timeline on when this will be available?

[cr3wdayt5p]

@Ben-Ruben I tried a fews weeks ago and it was not possible then. To avoid the excessive OPTIONS requests I disabled CORS in the portal and I now handle the OPTIONS requests and CORS headers manually in my function.

It is a bit crazy that it is not possible to control the 'access-control-max-age' header. It is the only thing missing from the CORS feature to make it useful in production.

[Ben-Ruben]

@cr3wdayt5p Yes, I'm trying that now as well and that route seems to work. However not sure whether I cover all that's needed for a proper CORS implementation now. Therefore I rather rely on the features provided (through the portal), but these are incomplete.

[ShubhamGargCTH]

@mhoeger checking in to see if we have an option now to set Access-Control-Max-Age.
we use Azure app easyAuth so can't really set the custom cors in the code as the options request doesn't have auth header.