[Bug]: CORS Preflight Issue: OPTIONS Method Incorrectly Requires x-publishable-api-key Header

[kodermax]

Package.json file

"dependencies": {
    "@headlessui/react": "^2.2.0",
    "@hookform/error-message": "^2.0.1",
    "@ianvs/prettier-plugin-sort-imports": "^4.4.1",
    "@mdx-js/loader": "^3.1.0",
    "@mdx-js/react": "^3.1.0",
    "@medusajs/icons": "2.6.0",
    "@medusajs/js-sdk": "2.6.0",
    "@medusajs/types": "2.6.0",
    "@medusajs/ui": "^4.0.6",
    "@next/mdx": "^15.2.1",
    "@paypal/paypal-js": "^8.2.0",
    "@paypal/react-paypal-js": "^8.8.2",
    "@radix-ui/react-accordion": "^1.2.3",
    "@radix-ui/react-checkbox": "^1.1.4",
    "@radix-ui/react-dialog": "^1.1.6",
    "@radix-ui/react-radio-group": "^1.2.3",
    "@radix-ui/react-select": "^2.1.6",
    "@radix-ui/react-slot": "^1.1.2",
    "@radix-ui/react-tabs": "^1.1.3",
    "@radix-ui/react-visually-hidden": "^1.1.2",
    "@stripe/react-stripe-js": "^3.3.0",
    "@stripe/stripe-js": "5.8.0",
    "@types/mdx": "^2.0.13",
    "algoliasearch": "5.20.3",
    "axios": "1.8.1",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "cva": "1.0.0-beta.3",
    "embla-carousel-autoplay": "^8.5.2",
    "embla-carousel-react": "^8.5.2",
    "formik": "^2.4.6",
    "framer-motion": "^12.4.10",
    "hast-util-has-property": "^3.0.0",
    "hast-util-heading-rank": "^3.0.0",
    "lodash": "^4.17.21",
    "lucide-react": "^0.477.0",
    "next": "15.2.1",
    "next-mdx-remote": "^5.0.0",
    "next-nprogress-bar": "^2.4.7",
    "next-themes": "^0.4.4",
    "pg": "^8.13.3",
    "qs": "^6.14.0",
    "react": "19.0.0",
    "react-country-flag": "3.1.0",
    "react-dom": "19.0.0",
    "react-icons": "^5.5.0",
    "react-instantsearch-hooks-web": "^6.47.3",
    "react-intersection-observer": "^9.15.1",
    "react-markdown": "^9.0.3",
    "rehype-highlight": "^7.0.2",
    "rehype-slug": "^6.0.0",
    "rehype-unwrap-images": "1.0.0",
    "remark-gfm": "^4.0.1",
    "server-only": "^0.0.1",
    "sharp": "^0.33.5",
    "simple-icons": "^14.9.0",
    "sonner": "^1.7.4",
    "tailwind-merge": "^2.6.0",
    "tailwindcss-animate": "^1.0.7",
    "tailwindcss-radix": "^3.0.5",
    "unist-util-visit": "^5.0.0",
    "validator": "^13.12.0",
    "webpack": "5.98.0",
    "yup": "^1.6.1",
    "zustand": "^5.0.3"
  },
  "devDependencies": {
    "@babel/core": "7.26.9",
    "@medusajs/client-types": "^0.2.12",
    "@medusajs/ui-preset": "2.5.1",
    "@types/lodash": "^4.17.16",
    "@types/node": "22.13.9",
    "@types/pg": "^8.11.11",
    "@types/react": "19.0.10",
    "@types/react-dom": "19.0.4",
    "@types/react-instantsearch-dom": "6.12.8",
    "@typescript-eslint/eslint-plugin": "8.25.0",
    "@typescript-eslint/parser": "8.25.0",
    "ansi-colors": "^4.1.3",
    "autoprefixer": "^10.4.20",
    "babel-loader": "9.2.1",
    "eslint": "9.21.0",
    "eslint-config-next": "15.2.1",
    "eslint-config-prettier": "^10.0.2",
    "eslint-plugin-unused-imports": "4.1.4",
    "postcss": "^8.5.3",
    "prettier": "3.5.3",
    "prettier-plugin-tailwindcss": "^0.6.11",
    "tailwindcss": "3.4.17",
    "typescript": "5.7.3"
  },

Node.js version

21

Database and its version

16.2

Operating system name and version

Windows

Browser name

No response

What happended?

We’ve encountered an issue with CORS configuration in MedusaJS where the OPTIONS preflight request is incorrectly expecting the x-publishable-api-key header. According to CORS specifications, preflight requests (OPTIONS) should not require authentication or custom headers to be sent by the client. Currently, the server responds with a 403 error if this header is omitted in OPTIONS requests, which breaks legitimate cross-origin requests.

This issue blocks frontend clients from properly integrating with the API, as browsers automatically handle preflight and do not attach custom headers like x-publishable-api-key to OPTIONS requests.

Could you please adjust the CORS configuration to exclude enforcing x-publishable-api-key for OPTIONS methods? This would align with standard CORS practices and resolve the preflight failures.

Let me know if you need additional details or examples. Thanks for your hard work!

Expected behavior

The OPTIONS method should not require the x-publishable-api-key header.

The header should only be validated in subsequent actual requests (GET, POST, etc.) after a successful preflight.

Actual behavior

The server enforces the presence of the x-publishable-api-key header in OPTIONS requests.

If the header is missing, the server returns a 403 Forbidden error, blocking the preflight request.

This prevents browsers from proceeding with the actual request (e.g., GET or POST) even when valid credentials are provided in subsequent steps.

Link to reproduction repo

no

[jorgepazp]

I'm facing the same issue, are you trying to use the cart module by any chance? I can't use any of the cart endpoints because of CORS error but I've properly added the x-publishable-api-key and set the correct domains on STORE_CORS and AUTH_CORS.
I haven't been able to find a workaround for this, the only thing I haven't tried yet is using a JWT token but if OPTIONS is expecting a header that won't be there first then I'm not sure if it will make any difference ☹️

[hamidooChe]

I think the same issue here #11743
Try downgrading to 2.5.1 or wait next release

[pAlieNq]

Same issue on 2.6.0, does not exist on 2.5