CORS - Nginx

server { server name ; listen 80; access log /var/log/nginx/access log vhost; \# add header strict transport security "max age=31536000" always; proxy hide header access control allow origin; proxy hide header x frame options; proxy hide header content security policy; \# add header x frame options "allowall"; add header content security policy "frame ancestors 'self' '\<domínio>'"; server tokens off; proxy cache bypass $http upgrade; client body buffer size 10m; location / { add header cache control no cache; expires 0; if ($request method = 'options') { add header access control allow origin $http origin always; add header access control allow credentials 'true' always; add header 'access control allow methods' 'get, post, options'; \# \# custom headers and headers various browsers should be ok with but aren't \# add header 'access control allow headers' 'dnt,user agent,x requested with,if modified since,cache control,content type,range,authorization,accept language'; \# \# tell client that this pre flight info is valid for 20 days \# add header 'access control max age' 1728000; add header 'content type' 'text/plain; charset=utf 8'; add header 'content length' 0; return 204; } add header access control allow origin $http origin always; add header access control allow credentials 'true' always; proxy pass http //127 0 0 1 8080; proxy redirect off; } }