My API accepts a JWT within the "Authorization" header as a Bearer token. Per CORS my API should allow every origin, but also accept the "Authorization" header to authenticate client requests.

Client side I am getting the CORS error: “Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.”, while working with an Application Specification file, where I added a CORS "allow_origins" setting containing "regex: .*", thus allowing every origin.

Since "allow_headers" or "allow_methods" are not yet available in the App Specification, I can't set them and the problem resides.

To solve the problem mentioned above I'd need to set a "allow_headers" setting like so:

allow_headers:

- authorization

Additionally it'd be nice to set "allow_methods" like so:

allow_methods:

- post

- options