@@ -43,15 +43,15 @@ server {
4343 access_log /var/log/nginx/app.access.log detailed;
4444 error_log /var/log/nginx/app.error.log warn;
4545
46- # CORS Headers
46+ # CORS Headers (applied to all responses)
4747 add_header Access-Control-Allow-Origin $cors_origin always;
4848 add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD" always;
4949 add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, X-Requested-With, X-Request-Id" always;
5050 add_header Access-Control-Allow-Credentials "true" always;
5151 add_header Access-Control-Max-Age 86400 always;
5252
53- # Handle preflight OPTIONS requests
54- if ($request_method = OPTIONS) {
53+ # Handle preflight OPTIONS requests for all paths
54+ location @cors_preflight {
5555 add_header Access-Control-Allow-Origin $cors_origin always;
5656 add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD" always;
5757 add_header Access-Control-Allow-Headers "Authorization, Content-Type, Accept, Origin, X-Requested-With, X-Request-Id" always;
@@ -155,6 +155,11 @@ server {
155155
156156 # Authentication endpoints - moderate rate limiting
157157 location ~ ^/api/(auth|login|logout|signup) {
158+ # Handle OPTIONS preflight
159+ if ($request_method = OPTIONS) {
160+ return 204;
161+ }
162+
158163 limit_req zone=general_api burst=30 nodelay;
159164
160165 proxy_pass http://puma_rails_app;
@@ -174,6 +179,11 @@ server {
174179
175180 # General API endpoints
176181 location /api/ {
182+ # Handle OPTIONS preflight
183+ if ($request_method = OPTIONS) {
184+ return 204;
185+ }
186+
177187 limit_req zone=general_api burst=100 nodelay;
178188
179189 proxy_pass http://puma_rails_app;
0 commit comments