We're Hiring!

Mattermost, Inc.

CORS issue on mattermost

Does anyone knows how and where to configure to resolve the CORS issue in mattermost server?
Appreciate the help.

Hi, @joblemjose

In terms of configuration within Mattermost itself, I suggest you to check on the Configuration Settings documentation to understand the available setups which include:

  • Enabling CORS
  • CORS Exposed Headers
  • CORS Allow Credentials
  • CORS Debug

Can you please share more information on the CORS issue that you have run into? Screen shot(s) and configuration snippet will be really helpful to help us understand the problem better. Thanks.


Below is the current configuration that set

Currently the response header allows
access-control-allow-methods: POST

How to include
access-control-allow-methods: POST, GET, POST

Getting the below error message now

Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Let me know if this info sufficient?

I have the same issue with CORS, message delete fails with this:
Access to fetch at ‘https://mattermost.dev.awake.ai/api/v4/posts/e36far8qj3ry9xbuffm8xyhwfe’ from origin ‘https://portapp.dev.awake.ai’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I cannot find in configuration where Access-Control-Allow-Methods header could be defined?

did you configure your reverse proxy correctly? https://enable-cors.org/server_nginx.html


We have external reverse proxy, Amazon ALB. I guess need to check that next.


H! Got this issue fixed. Thank you!