allowed origins
sumeet-lgtm
PROOP

a month ago

My service wyber-preview-builder (project 2477874c, service 9aaf0256) returns x-deny-reason: host_not_allowed on all POST requests from external domains. My server.js has cors({origin:'*'}) and no allowlist code. The ALLOWED_ORIGINS env var is set to *. This appears to be a Railway edge-level restriction. How do I disable it?

$20 Bounty

2 Replies

Railway
BOT

a month ago

This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.

Status changed to Open Railway 29 days ago


do you have "allowed methods" set?


webaksharsolutions
PRO

a month ago

This isn't a Railway restriction — Railway doesn't have an edge-level host allowlist, and CORS can't produce x-deny-reason. That header is coming from an egress proxy on the side that's making the request, blocking it before it ever hits your service.

Quick confirmation:

curl -i https://.up.railway.app/ from a plain network (phone hotspot, a normal VPS, your laptop off any corp/VPN network). It'll work fine — proving your service and Railway edge are healthy.

On the failing 403, check the server header. If it says envoy (not railway-edge) and the response is missing x-railway-request-id, the block is upstream of Railway, in the caller's environment.

If the external POSTs are coming from Claude Code / an MCP connector / a CI runner / any sandboxed agent, that environment has a domain allowlist that doesn't include *.up.railway.app (these proxies do exact-match, no wildcards). Fix is to add your Railway domain to that environment's egress allowlist — e.g. Claude Code's "Additional allowed domains" / "Allow network egress" setting — not anything on Railway.


Welcome!

Sign in to your Railway account to join the conversation.

Loading...