Remove settings of CORS heads in the options block. (#1681)

MikeNeilson · web-flow · commit 86cf0552a9dc · 2026-04-13T07:03:10.000-07:00
diff --git a/cwms-data-api/src/main/java/cwms/cda/ApiServlet.java b/cwms-data-api/src/main/java/cwms/cda/ApiServlet.java
@@ -410,10 +410,10 @@ public void init() {
                 })
                 .routes(this::configureRoutes)
                 .options("/*", ctx -> {
-                    ctx.header("Access-Control-Allow-Origin", "*"); // Allow requests from any origin
-                    ctx.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS"); // Specify allowed methods
-                    ctx.header("Access-Control-Allow-Headers", "Content-Type, Authorization"); // Specify allowed headers
-                    ctx.status(200); // Respond with a 200 OK status
+                    // Respond with a 200 OK status for preflight checks.
+                    // It is expected that the firewall in front of the API
+                    // will handle any CORS headers.
+                    ctx.status(200);
                 })
                 .javalinServlet();
         QueueManager.ensureRssSubscribers(cwms);
diff --git a/cwms-data-api/src/test/java/cwms/cda/api/BaseLineTestIT.java b/cwms-data-api/src/test/java/cwms/cda/api/BaseLineTestIT.java
@@ -34,9 +34,7 @@ void test_options_handling_known_url(String url) throws Exception {
         .then()
             .log().ifValidationFails(LogDetail.ALL,true)
             .assertThat()
-            .statusCode(is(HttpServletResponse.SC_OK))
-            .header("Access-Control-Allow-Methods", equalTo("GET, POST, PUT, DELETE, OPTIONS"))
-            .header("Access-Control-Allow-Headers", equalTo("Content-Type, Authorization"));
+            .statusCode(is(HttpServletResponse.SC_OK));
     }
     
     @ParameterizedTest
@@ -51,8 +49,6 @@ void test_options_handling_unknown_url(String url) throws Exception {
         .then()
             .log().ifValidationFails(LogDetail.ALL,true)
             .assertThat()
-            .statusCode(is(HttpServletResponse.SC_OK))
-            .header("Access-Control-Allow-Methods", nullValue())
-            .header("Access-Control-Allow-Headers", nullValue());
+            .statusCode(is(HttpServletResponse.SC_OK));
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -34,9 +34,7 @@ void test_options_handling_known_url(String url) throws Exception {`
`34`	`34`	`.then()`
`35`	`35`	`.log().ifValidationFails(LogDetail.ALL,true)`
`36`	`36`	`.assertThat()`
`37`		`- .statusCode(is(HttpServletResponse.SC_OK))`
`38`		`- .header("Access-Control-Allow-Methods", equalTo("GET, POST, PUT, DELETE, OPTIONS"))`
`39`		`- .header("Access-Control-Allow-Headers", equalTo("Content-Type, Authorization"));`
	`37`	`+ .statusCode(is(HttpServletResponse.SC_OK));`
`40`	`38`	`}`
`41`	`39`
`42`	`40`	`@ParameterizedTest`
`@@ -51,8 +49,6 @@ void test_options_handling_unknown_url(String url) throws Exception {`
`51`	`49`	`.then()`
`52`	`50`	`.log().ifValidationFails(LogDetail.ALL,true)`
`53`	`51`	`.assertThat()`
`54`		`- .statusCode(is(HttpServletResponse.SC_OK))`
`55`		`- .header("Access-Control-Allow-Methods", nullValue())`
`56`		`- .header("Access-Control-Allow-Headers", nullValue());`
	`52`	`+ .statusCode(is(HttpServletResponse.SC_OK));`
`57`	`53`	`}`
`58`	`54`	`}`