Access-control-allow-origin header missing in response header

I am using a Docker based HTTP service and it seems like my responses are missing some headers.

When I run my service locally, these are my headers:

➜  ~ curl -I -S -X GET "http://localhost:3000/public.fires.json"      

HTTP/1.1 200 OK
content-length: 307
content-type: application/json
access-control-allow-origin: *
date: Thu, 15 Jul 2021 22:20:26 GMT

However, the response headers are missing the critical access-control-allow-origin header, which I need for CORS compliance, when I run the same service in Render:

➜  ~ curl -s -I -X GET ""

HTTP/2 200 
content-type: application/json
date: Thu, 15 Jul 2021 22:21:09 GMT
server: Render

My Dockerfile for this service is as simple as they come:

FROM urbica/martin:latest

Thanks in advance.

1 Like

Did some sleuthing on this: not sure if this is the issue but seemingly someone else ran into this with Martin before. (Martin is a Rust based tileserver that uses Actix)

This is a theory (and I have no way to test this) but given the fix in the Github issue seems to be including an Nginx rule to forward the the protocol, it seems plausible that Render terminating HTTPS connections to be HTTP within its network could be an issue.

But that seems hella weird to me. But so is Render mangling with the outgoing response headers from Martin.

what if you include an origin in your cURL request?

curl -s -I -X GET "" -H "Origin: localhost"

It doesn’t help, unfortunately.

➜  ~ curl -s -I -X GET "" -H "Origin: localhost"
HTTP/2 200 
access-control-allow-origin: localhost
content-type: application/json
date: Fri, 16 Jul 2021 14:57:01 GMT
server: Render
vary: Origin

I don’t think you can set that header via JS anyway, even if it did work, that’d not help me.

you shouldn’t need to set the header, the browser would add it for you based on the site your loading the JS on:


Open up the network inspector before you send the request - on the request to your json the browser has added the origin: