Postman Resolving "Invalid CORS request" for a POST Request
Solution 1
Here's the answer you found again:
Just in case anybody else has this same problem, here is how to solve it. Go to https://www.getpostman.com/docs/capture in your chrome browser. Click on interceptor extension and then choose add to chrome. Once it is added there is a new icon top right of both the browser and postman that looks like a traffic light. In postman click this and it turns green.
... With the bit in bold translated:
Then add a header to your request. The header Key should be "Origin" and the header Value should be the full URL of your server (Do not forget the
http://orhttps://).
Note that Chrome/Postman won't allow you to add a Header with a Key of Origin without the Interceptor plugin.
Also note that at least on my system the Interceptor icon no longer looks like a traffic light.
Solution 2
If your back-end service side code checks for origin of the request (just to avoid CORS attack) you may face this issues when testing your Rest API through postman.
How to Resolve this .?
You need to install a Chrome plugin called Postman Interceptor (https://chrome.google.com/webstore/detail/postman-interceptor/aicmkgpgakddgnaphhhpliifpcfhicfo?hl=en).
After successfully installing this plugin , in you Postman client you can see small icon called Postman Interceptor , you need to toggle it to turn it on.
Now you can add a Request header as below
RequestHeader Key "Origin" RequestHeader Value "your application base URL"
Now you should be able to over come CORS issues you are facing Cheers !!
Solution 3
Seems our server is seeing from a Postman manual HTTP POST that the orgin is invalid b/c its coming from Postman as "chrome-extension://fhbjgbiflinjbdggehcddcbncdddomop"
Not sure why or how to resolve on client/Postman side. Seems our server is correclty rejecting it as is though and issuing a 403.
Solution 4
Just avoid using browser/chrome postman plugin. Use the desktop application instead!
Solution 5
Value of "Origin" header set in Postman request should be allowed in API backend. For example, using Spring Boot for API should have next:
@Configuration
public class WebConfig implements WebMvcConfigurer {
@Value("${cors.allowedOrigins}")
private String allowedOrigins;
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins(allowedOrigins)
.allowedMethods("*")
.allowedHeaders("*");
}
}
where allowedOrigins is set using application.properties property cors.allowedOrigins having comma separated list of allowed origins, eg:
cors.allowedOrings=http://localhost:8080,http://example.com
and set 'Origin' value in Postman to any url from cors.allowedOrigins
Related videos on Youtube
15 : 20
13 : 02
12 : 35
![CORS Error & Solutions In A Nutshell [Cross Origin Resource Sharing]](https://i.ytimg.com/vi/gPzMRoPDrFk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLCL9ZbwLoTEYnPYQFHRmL1ZdqSvVg)
04 : 07
10 : 14
07 : 57
11 : 14
![[QUESTION] How can I call a POST endpoint from Postman with CSRF protection enabled?](https://i.ytimg.com/vi/kRGJraWoCxk/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLC3tsBPjY6C5bGDCX6meEWwK3RXQQ)
18 : 06
02 : 55
tinonetic
Updated on February 26, 2021Comments
-
tinonetic about 3 years
I've just started using Postman to test an API I am integrating to.
I have the following error that keeps showing up
Invalid CORS request
Note the following:
- The API uses Bearer token authentication(OAuth2). I have this working without a problem.
- I do get the bearer token successfully, assign it to an Environment variable and then attempt to use it for the RESTful operations.
- The problem is in the subsequent RESTful operation that uses the token.
- When I use an old token (through a POST operation), it rightfully tells me that it is expired and not authorized.
- When I then generate a new one and try to run the restful call, it gives me that
Invalid CORS requesterror. - Using cURL, I have no issues. But I am frustrated by Postman.
What I have found so far:
- Using postman with Http POST requests - I don't get the part in bold
Just in case anybody else has this same problem, here is how to solve it. Go to https://www.getpostman.com/docs/capture in your chrome browser. Click on interceptor extension and then choose add to chrome. Once it is added there is a new icon top right of both the browser and postman that looks like a traffic light. In postman click this and it turns green. Then add a header to every request going to third light. Every header consists of the header name and a value. Start typing over the header name and a list of allowed http headers comes up. Choose "Origin". In the cell for value simply type the full URL of your server. (Do not forget the 'http://' or 'https://').
- What is the expected response to an invalid CORS request? - Best explanation I have seen so far on CORS errors.
The other material speaks about
Access-Control-Allow-Method header,preflight requests... and there is an illustrative Apache Tomcat flowchart of the CORS flow.
-
Lomtrur almost 5 yearsYou should add from which version you upgraded to which. This answer may be useless to someone in the future if a future version causes the same issue or if they are already on the latest version but still have the problem.
-
Dipesh Raichana over 2 yearsfacing the same issue and postman interceptor isn't working. is there any other way ?
