a month ago
My service wyber-preview-builder (project 2477874c, service 9aaf0256) returns x-deny-reason: host_not_allowed on all POST requests from external domains. My server.js has cors({origin:'*'}) and no allowlist code. The ALLOWED_ORIGINS env var is set to *. This appears to be a Railway edge-level restriction. How do I disable it?
2 Replies
a month ago
This thread has been opened as a public bounty so the community can help solve it. The thread and any further activity are now visible to everyone.
Status changed to Open Railway • 29 days ago
a month ago
This isn't a Railway restriction — Railway doesn't have an edge-level host allowlist, and CORS can't produce x-deny-reason. That header is coming from an egress proxy on the side that's making the request, blocking it before it ever hits your service.
Quick confirmation:
curl -i https://.up.railway.app/ from a plain network (phone hotspot, a normal VPS, your laptop off any corp/VPN network). It'll work fine — proving your service and Railway edge are healthy.
On the failing 403, check the server header. If it says envoy (not railway-edge) and the response is missing x-railway-request-id, the block is upstream of Railway, in the caller's environment.
If the external POSTs are coming from Claude Code / an MCP connector / a CI runner / any sandboxed agent, that environment has a domain allowlist that doesn't include *.up.railway.app (these proxies do exact-match, no wildcards). Fix is to add your Railway domain to that environment's egress allowlist — e.g. Claude Code's "Additional allowed domains" / "Allow network egress" setting — not anything on Railway.