Raw Record Source

{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreia64mg6crpi2ut5njcroq5ek7w5b2nbbejqickte2yiaovv7n4o24",
    "uri": "at://did:plc:pgryn3ephfd2xgft23qokfzt/app.bsky.feed.post/3mov3u7acg5m2"
  },
  "path": "/t/hugging-face-spaces-proxy-suddenly-stripping-access-control-allow-credentials-header-on-options-preflight/177064#post_1",
  "publishedAt": "2026-06-22T13:49:43.000Z",
  "site": "https://discuss.huggingface.co",
  "textContent": "Hey everyone,\n\nI’ve had a full-stack MERN app running perfectly for months. The backend is hosted on Hugging Face Spaces (`express` server in a Docker container), and the frontend is on Vercel.\n\nOut of nowhere, my `/user/login` route started failing with a CORS error: `The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.`\n\nWhen inspecting the **Network tab** , I can see that the browser sends an `OPTIONS` preflight request, and the response headers from the backend look like this:\n\nHTTP\n\n\n    access-control-allow-headers: content-type\n    access-control-allow-methods: POST\n    access-control-allow-origin: https://iskra-edu.vercel.app\n    access-control-max-age: 600\n    content-length: 0\n    vary: origin, access-control-request-method, access-control-request-headers\n\n\n\nAs you can see, `Access-Control-Allow-Credentials` is completely missing.\n\n**The catch:** My Express code explicitly has `credentials: true` configured inside the `cors` middleware, and I even added a manual global wildcard middleware at the very top of my app to force-inject the header on all `OPTIONS` requests:\n\nJavaScript\n\n\n    app.use((req, res, next) => {\n        res.setHeader('Access-Control-Allow-Credentials', 'true');\n        if (req.method === 'OPTIONS') return res.sendStatus(200);\n        next();\n    });\n\n\n\nEven with this, the header **never** reaches the browser. It seems like the Hugging Face edge proxy/routing mesh is intercepting the `OPTIONS` request and stripping out the `Access-Control-Allow-Credentials` header before it can hit my container, or it’s answering the preflight entirely on its own.\n\nHas anyone else experienced Hugging Face randomly breaking preflight CORS headers recently? Is there a new configuration in `README.md` or the routing mesh that I missed? Any help or workaround (besides bypassing preflight via URL-encoded forms) would be highly appreciated!",
  "title": "Hugging Face Spaces proxy suddenly stripping Access-Control-Allow-Credentials header on OPTIONS preflight?"
}