CORS issue on mattermost

Does anyone knows how and where to configure to resolve the CORS issue in mattermost server?
Appreciate the help.

Hi, @joblemjose

In terms of configuration within Mattermost itself, I suggest you to check on the Configuration Settings documentation to understand the available setups which include:

  • Enabling CORS
  • CORS Exposed Headers
  • CORS Allow Credentials
  • CORS Debug

Can you please share more information on the CORS issue that you have run into? Screen shot(s) and configuration snippet will be really helpful to help us understand the problem better. Thanks.


Below is the current configuration that set

Currently the response header allows
access-control-allow-methods: POST

How to include
access-control-allow-methods: POST, GET, POST

Getting the below error message now

Response to preflight request doesn’t pass access control check: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’ when the request’s credentials mode is ‘include’. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute.

Let me know if this info sufficient?

I have the same issue with CORS, message delete fails with this:
Access to fetch at ‘’ from origin ‘’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

I cannot find in configuration where Access-Control-Allow-Methods header could be defined?

did you configure your reverse proxy correctly?


We have external reverse proxy, Amazon ALB. I guess need to check that next.


H! Got this issue fixed. Thank you!

How did you fix it as we also have AWS load balancer with no nginx

The Same Origin Policy (SOP) is a security measure standardized among browsers. It is needed to prevent Cross-Site Request Forgery (CSRF). The “Origin” mostly refers to a “Domain”. Same Origin Policy prevents different origins (domains) from interacting with each other, to prevent attacks such as CSRF (Cross Site Request Forgery) through such requests, like AJAX. In other words, the browser would not allow any site to make a request to any other site. Without Same Origin Policy , any web page would be able to access the DOM of other pages.

This SOP (Same Origin Policy) exists because it is too easy to inject a link to a javascript file that is on a different domain. This is actually a security risk ; you really only want code that comes from the site you are on to execute and not just any code that is out there.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999