I built an angular app that uses the Task API and Camunda Platform 8. The app was failing due to CORS issues. I created an Nginx server to reverse proxy requests from the Angular app (served from the same domain). It was relatively straightforward to get the headers required for the CORS preflight request (via OPTIONS). However, even when there were no preflight CORS errors in the console, the proxy request was returning a 402 Forbidden error from Camunda. I saw several posts about CSRF tokens, but those were more focused on SpringBoot apps and Camunda 7. Ultimately, I fixed the issue by removing the Origin and Referer headers:
location / {
if ($request_method = 'OPTIONS') {
add_header Access-Control-Allow-Origin "*" always;
add_header Access-Control-Allow-Credentials 'true' always;
add_header Access-Control-Allow-Headers "*";
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS';
add_header Content-Type "application/json";
add_header Content-Length 0;
return 204;
}
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Origin "";
proxy_set_header Referer "";
proxy_pass https://dsm-1.tasklist.camunda.io/XXXXX-XXXXX-XXXXX/graphql/;
}
}
Hope this saves someone some time!