9 months ago
I’m hosting a Spring Boot application on Railway (Java 17, Spring Boot 3.5), and I’m encountering CORS issues when trying to call my backend API from my frontend deployed locally (and from Railway preview apps).
The API endpoint is:
https://pxp-api-java-production.up.railway.app/api/v1/currencies/get-currency-test
i tried this
@Configuration
public class CorsConfig implements WebMvcConfigurer {
@Override
public void addCorsMappings(CorsRegistry registry) {
registry.addMapping("/**")
.allowedOrigins("https://allcleanlaundry.onrender.com")
.allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS", "PATCH", "HEAD")
.allowedHeaders("*")
.allowCredentials(true)
.maxAge(3600);
}
}
tried all solutions in this thread
https://station.railway.com/questions/cors-preflight-request-blocked-by-railwa-803ac783
here is the temp app
https://pexpatsfe-pexpatsfe-pr-344.up.railway.app/calculators/Czech-Freelancing-income-salary-calculator
that i call my endpoing that returns CORS error
running this
curl -I -X OPTIONS 'https://pxp-api-java-production.up.railway.app/api/v1/currencies/get-currency-test'
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
x-railway-edge: railway/europe-west4
x-railway-request-id: SFnYPH9qReqWAfDn0KZcTw
content-length: 0
assuming railway is blocking this request b4 it reaches my server ?
Does Railway have an edge layer or proxy that blocks or overrides CORS behavior by default? If yes, is there a way to configure CORS support (e.g., whitelisted domains, disabling edge handling, or using headers)?
Thanks in advance!
2 Replies
9 months ago
Hi there, these docs might be helpful here to allow the traffic: whitelisting: https://docs.railway.com/reference/static-outbound-ips#use-cases
Additionally have you setup a public URL like in step 4 here? https://docs.railway.com/guides/spring-boot
Status changed to Awaiting User Response Railway • 9 months ago
9 months ago
Hey, I ran into the same issue before and totally feel your pain 
From what you're describing, it really sounds like Railway’s edge layer is handling (and blocking) the CORS preflight requestbefore it even hits your Spring Boot backend. That would explain why your app's CORS config isn’t doing anything — it’s not even getting the chance.
You can actually see it in your curl output:
vary: Origin
vary: Access-Control-Request-Method
vary: Access-Control-Request-Headers
content-length: 0
There’s no Access-Control-Allow-Origin, so the CORS headers aren’t being returned — meaning the request probably got handled (or dropped) at the proxy level.
What worked for me:
I added a CORS filter manually in Spring Boot instead of relying only on WebMvcConfigurer. Here’s what I used:
@Component
public class SimpleCORSFilter implements Filter {
public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain)
throws IOException, ServletException {
HttpServletResponse response = (HttpServletResponse) res;
HttpServletRequest request = (HttpServletRequest) req;
response.setHeader("Access-Control-Allow-Origin", "https://allcleanlaundry.onrender.com");
response.setHeader("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, OPTIONS");
response.setHeader("Access-Control-Allow-Headers", "*");
response.setHeader("Access-Control-Allow-Credentials", "true");
if ("OPTIONS".equalsIgnoreCase(request.getMethod())) {
response.setStatus(HttpServletResponse.SC_OK);
} else {
chain.doFilter(req, res);
}
}
}
For me, that finally let the preflight go through, even on Railway.
One more thing:
Railway doesn’t currently expose a config to manage CORS at the edge (like Vercel does), so your best bet is to either:
Handle CORS fully in your backend (like with the filter above), or
Proxy the request through a frontend server or Cloudflare Worker that you control.