Cors Slim Preflight Request Fails

I am new to slim 3 and I’m trying to get cors working with a preflight request. It works when a preflight request is not sent, but fails when sending the preflight. Best I can tell the options route is not working. I have copied the code from the Doc to implement but have had no luck. I get this error in the console

Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

These are the headers I get

Request URL
Request Method:OPTIONS
Status Code:200 OK
Remote Address:
Referrer Policy:no-referrer-when-downgrade

Response Headers
HTTP/1.1 200 OK
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Date: Thu, 09 Nov 2017 16:16:20 GMT
Content-Length: 0
X-Cache: MISS from barracudaXXXXX
Via: 1.1 XXXXX (http_scan_byf/3.5.16)
Connection: keep-alive

Request Headers
OPTIONS /test/rob HTTP/1.1
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache
Access-Control-Request-Method: GET
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/61.0.3163.100 Safari/537.36
Access-Control-Request-Headers: x-requested-with
Accept: /
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8

Here is the code I have implemented.

$app->options(’/{routes:.+}’, function ($request, $response, $args) {
$this->logger->addInfo(“Options run”);
return $response;
$app->add(function (Request $req, Response $res, $next) {
$response = $next($req, $res);
return $response
->withHeader(‘Access-Control-Allow-Origin’, ‘*’)
->withHeader(‘Access-Control-Allow-Headers’, ‘x-requested-with, Content-Type, Accept, Origin, Authorization’)
->withHeader(‘Access-Control-Allow-Methods’, ‘GET, POST, PUT, DELETE, OPTIONS’)

$app->get(’/test/{name}’, function (Request $request, Response $response){
$name = $request->getAttribute(‘name’);
$response->getBody()->write(“Hello, $name”);
return $response;


Thanks for the help

Hi have you found a solution to resolve this?
I got exact same problem when deal with CORS preflight check.
Any help will be appreciated.

No, I still haven’t found a solution.

A preflight request (which will be OPTIONS rather than POST) must respond with the permission in the response header.

Your server needs to respond to it with a 200 OK response and appropriate Access-Control-Allow-... origin headers.

More details:

Hi odan,

Thanks for the response.
Yes we got that idea. But the issue is in the slim api application we didn’t seem to able to capture the options call from a browser.
We tried different ways including setup a middleware class and the one that shows in the cookbook:
$app->options(’/(:name+)’, function() use ($app) {
//…return correct headers…
But nothing in the callback is triggered when a browser does a preflight OPTIONS call. Therefore, the client always gets error: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource…


Delete the $app->options(...) route and the existing CORS middleware. Then add this CORS Preflight middleware to allow all CORS Preflight requests.

// CORS Preflight middleware
$app->add(function (Request $request, Response $response, $next) {
    if($request->getMethod() !== 'OPTIONS') {
        return $next($request, $response);

    $response = $response->withHeader('Access-Control-Allow-Origin', '*');
    $response = $response->withHeader('Access-Control-Allow-Methods', $request->getHeaderLine('Access-Control-Request-Method'));
    $response = $response->withHeader('Access-Control-Allow-Headers', $request->getHeaderLine('Access-Control-Request-Headers'));

    return $next($request, $response);

Thanks for the help!
Finally found the problem.
It was actually one of the middleware that does ACL blocks the preflight check.
It didn’t response the proper body preflight check wants.
After conditional that out, everything works as expected.
Thank you again for all the help!