Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
APIM Cors OPTIONS request 500 error
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(224.00000000000003, 0%, 31%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIB%3C/text%3E%3C/svg%3E)
Ivo Bathke
0
Reputation points
Hi,
we have an API Proxy in APIM and have added a CORS policy to allow wildcard subdomains.
The POST requests are working, even with the CORS headers.
However the OPTIONS preflight request fails with a 500 error with no further information.
{
"statusCode": 500,
"message": "Internal server error",
"activityId": "473be759-ecde-4f6b-a49c-07c45daca1dd"
}
Debug tracing does also not work. There is no trace-id returned when the request , even with a valid Apim-Debug-Authorization header.
- Why do we get this error on OPTIONS preflight?
- Where do I get more information about the cause of the error?
- Is there a more easy way for wildcard subdomains in the allowed-origins?
The policy:
<inbound>
<!-- Extract origin from request -->
<set-variable name="requestOrigin" value="@(context.Request.Headers.GetValueOrDefault("Origin", string.Empty))" />
<!-- Check if origin is allowed -->
<choose>
<when condition="@{
var origin = context.Variables.GetValueOrDefault<string>("requestOrigin");
// List of allowed exact origins
var allowedOrigins = new[] {
"http://localhost:3000",
"https://production",
"https://dev"
};
return allowedOrigins.Contains(origin) || origin.EndsWith(".staging.de");
}">
<set-variable name="corsOrigin" value="@((string)context.Variables["requestOrigin"])" />
</when>
<otherwise>
<set-variable name="corsOrigin" value="" />
</otherwise>
</choose>
<cors allow-credentials="false">
<allowed-origins>
<origin>@((string)context.Variables["corsOrigin"])</origin>
</allowed-origins>
<allowed-methods preflight-result-max-age="10">
<method>POST</method>
<method>GET</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
</cors>
<base />
<!-- Call backend -->
<set-backend-service base-url="https://third-party-api/" />
</inbound>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>@((string)context.Variables["corsOrigin"])</value>
</set-header>
<set-header name="Vary" exists-action="append">
<value>Origin</value>
</set-header>
</outbound>
<!-- Control if and how the requests are forwarded to services -->
<backend>
<base />
</backend>
<!-- Handle exceptions and customize error responses -->
<on-error>
<base />
</on-error>
</policies>
Azure API Management
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(134.4, 7.000000000000001%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESK%3C/text%3E%3C/svg%3E)
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator2025-08-22T08:13:11.0433333+00:00 Hi Ivo Bathke, Thanks for sharing your query with the Microsoft Q&A community.
I understand you’re seeing a
500 Internal Server Erroron the OPTIONS (CORS preflight) requests, even though your POST requests are working fine. Let me clarify why this happens in API Management and the steps to resolve it.Fix recommended steps
- Move the <cors> block to the very top of the <inbound> pipeline, before any custom policies.
- Avoid using <origin>@((string)context.Variables["corsOrigin"])</origin> inside <cors>. Instead, use a <choose> block outside the CORS policy and inject <cors> only when a valid origin is matched.
- Do not return <origin></origin> empty — if corsOrigin resolves to empty, APIM responds with 500.
- If possible, explicitly list known subdomains (wildcard origins with allow-credentials=true are not supported).
1. Debug tracing does also not work. There is no trace-id returned when the request, even with a valid Apim-Debug-Authorization header.
- In API Management, debug tracing does not log OPTIONS (preflight) requests. This is intentional, as only the
<cors>policy is executed for OPTIONS, while the rest of the inbound/outbound pipeline is skipped. - Because the request never goes through full policy processing, APIM does not generate a trace ID even if the
Ocp-Apim-Debug-Authorizationheader is included. - To troubleshoot OPTIONS requests, the recommended method is to use APIM Gateway logs in Azure Monitor / Log Analytics, where you can review request/response details, status codes, and CORS headers. Debug tracing is only available for standard requests (e.g., GET, POST), not for preflight OPTIONS.
2. Why do we get this error on OPTIONS preflight?
- In APIM, only the
<cors>policy is executed for OPTIONS requests. If the<cors>policy isn’t placed first in the<inbound>section, or if it evaluates an empty/invalid origin, APIM fails to construct a valid CORS response and returns a 500 Internal Server Error instead of the expected headers. - For preflight (OPTIONS) requests, only the CORS policy is evaluated. Any other policies in the inbound pipeline are ignored.
3.Where do I get more information about the cause of the error?
Enable APIM Gateway logs in Azure Monitor / Log Analytics.
Query with Kusto to confirm OPTIONS responses, status codes, and response headers.
AzureDiagnostics
where ResourceType == "APIMGatewayLogs"
where OperationName == "IncomingRequest"
where HttpMethod == "OPTIONS"
project TimeGenerated, clientIp_s, RequestUri_s, HttpStatusCode_d, BackendTimeMs_d, ResponseSize_s, CorrelationId_g
order by TimeGenerated desc
check the actual CORS header values that APIM returned
AzureDiagnostics
where ResourceType == "APIMGatewayLogs"
where HttpMethod == "OPTIONS"
project TimeGenerated, RequestUri_s, HttpStatusCode_d, ResponseHeaders_s
order by TimeGenerated desc
You won’t see deep trace steps, but you can confirm that the backend was skipped and APIM itself answered the OPTIONS.
Refer document: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor?utm_source
4. Is there a more easy way for wildcard subdomains in the allowed-origins?
- In Azure API Management, you cannot enable CORS allowed credentials when the allowed origin is set to a wildcard (
*). This is because combiningAllowAnyOriginwithAllowCredentialsis insecure and may expose your API to risks such as cross-site request forgery (CSRF). - While CORS in APIM does support wildcard origins, there are key restrictions. If you need to allow credentials, you should avoid using
*and instead configure either specific origins or a wildcard subdomain to maintain security. - The recommended approach is to extract the
Originheader and conditionally allow it if it matches your domain pattern, then echo it back in the response.
With these changes, OPTIONS requests should succeed without 500 errors, and you’ll have better visibility into what APIM is returning.
For more details, you can refer to the following documentation:
https://learn.microsoft.com/en-us/azure/api-management/cors-policy?utm_source
I hope this helps, please let me know if you have any further questions
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-25T01:16:56.4366667+00:00 Hi Ivo Bathke, following up to see if you have a chance to check my previous response and helped do let me know if you have any further questions on this.
-
Ivo Bathke 0 Reputation points
2025-08-25T10:56:30.77+00:00 Thank you @Sandhya Kommineni for the response.
Appearently I am follwing the recommended approach:
The recommended approach is to extract the
Originheader and conditionally allow it if it matches your domain pattern, then echo it back in the response.Regarding logging: I am currently waiting for approval for creating a Application Insights Instance.
I moved the <cors> block inside the <when> block, so it will only rendered when the Origin header matches the condition.
<choose> <when condition="@{ var origin = context.Variables.GetValueOrDefault<string>("requestOrigin"); // List of allowed exact origins var allowedOrigins = new[] { "http://localhost:3000", "https://production", "https://dev" }; return allowedOrigins.Contains(origin) || origin.EndsWith(".staging.example"); }"> <set-variable name="corsOrigin" value="@((string)context.Variables["requestOrigin"])" /> <cors> <allowed-origins> <origin>@((string)context.Variables["corsOrigin"])</origin> </allowed-origins> <allowed-methods preflight-result-max-age="10"> <method>POST</method> <method>GET</method> </allowed-methods> <allowed-headers> <header>*</header> </allowed-headers> </cors> </when> <otherwise> <set-variable name="corsOrigin" value="" /> </otherwise> </choose>However now I get an 404 for the OPTIONS request:
{"statusCode": 404,
"message": "Resource not found"
}
The POST request still works.
Allow-credentials attribute was set to false and is removed now to allow wildcard subdomains.
Why do I get a 404 now on the OPTIONS request?
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-26T06:38:25.1366667+00:00 Hi Ivo Bathke, Thanks for sharing your output
In APIM, when you see a 404 on an OPTIONS request, it usually means that the request didn’t match any operation in your API for that route. Even though you have a CORS policy, APIM still needs the OPTIONS request to map to a valid API path and verb if it can’t find one, it returns 404.
For OPTIONS requests, APIM skips the full policy pipeline and only checks for a top-level
<cors>policy if it’s missing, APIM can’t respond and returns a 404.Recommended steps to follow:
You don’t need to explicitly define OPTIONS operations in your API.- Place the
<cors>policy at the very top of the inbound pipeline, ideally outside of<choose>. - When
<cors>is present at the top level, APIM will automatically handle OPTIONS requests. - If you keep
<cors>inside a<choose>and the condition doesn’t match. APIM won’t process the OPTIONS request, which results in a 404.
Try moving
<cors>back to the top-level inbound, and use<choose>only to decide the value of the allowed origin.Example: <inbound>
<set-variable name="requestOrigin" value="@(context.Request.Headers.GetValueOrDefault("Origin",""))" /> <choose> <when condition="@{ var origin = context.Variables.GetValueOrDefault<string>("requestOrigin"); var allowedOrigins = new[] { "http://localhost:3000", "https://production", "https://dev" }; return allowedOrigins.Contains(origin) || origin.EndsWith(".staging.example"); }"> <set-variable name="corsOrigin" value="@((string)context.Variables["requestOrigin"])" /> </when> <otherwise> <set-variable name="corsOrigin" value="" /> </otherwise> </choose> <cors> <allowed-origins> <origin>@((string)context.Variables["corsOrigin"])</origin> </allowed-origins> <allowed-methods preflight-result-max-age="10"> <method>POST</method> <method>GET</method> </allowed-methods> <allowed-headers> <header>*</header> </allowed-headers> </cors></inbound>
The POST request still works because POST requests do run the whole pipeline, including your
<when>block. That’s why the actual call succeeds, but the preflight OPTIONS fails.When
<cors>was at the top level in<inbound>, APIM could handle OPTIONS correctly, but once it was moved inside a<when>block, APIM doesn’t go inside so, skipped it for OPTIONS requests, and with no CORS response returned, APIM defaulted to 404.If you really want
<cors>inside<when>, then you must also explicitly define an OPTIONS operation in your API design (via OpenAPI spec or in APIM) otherwise APIM won’t find a match and returns 404.I hope this helps, please let me know if you have any further questions
- Place the
-
Ivo Bathke 0 Reputation points
2025-08-26T08:56:21.07+00:00 @Sandhya Kommineni it does not work.
It is also basically what I had in the first question.I reduced the script to just use a context variable and then it fails.
Seems APIM policies are not able to process variables in the cors block.
Can you confirm this?<policies> <inbound> <set-variable name="origin" value="https://staging.example.com" /> <cors> <allowed-origins> <origin>@((string)context.Variables.GetValueOrDefault("origin"))</origin> </allowed-origins> <allowed-methods preflight-result-max-age="10"> <method>POST</method> <method>GET</method> </allowed-methods> <allowed-headers> <header>*</header> </allowed-headers> </cors> <base /> <!-- Call backend --> <set-backend-service base-url="https://thirdpartyapi" /> </inbound> <outbound> <base /> </outbound> <on-error /> <backend> <base /> </backend> </policies> -
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-27T07:57:19.3933333+00:00 Hi Ivo Bathke,
yes, variables cannot be processed in the CORS policy block in Azure API Management as expected.
you can refer below document to check allowed elements and policy statement of CORS
https://learn.microsoft.com/en-us/azure/api-management/cors-policy
-
Ivo Bathke 0 Reputation points
2025-08-27T08:21:52.7133333+00:00 @Sandhya Kommineni ok thank you.
I conclude:
wildcard subdomains for CORS headers are not possible to configure in APIM.So APIM is not suitable for setups that need dynamic subdomains, f.e. systems that use testing clusters.
I think it would be fair, if this limitation would be mentioned in the Azure API Management documentation.
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-27T08:47:49.8733333+00:00 Yes, Ivo Bathke,
In Azure API Management (APIM), wildcard subdomains are currently not supported in the CORS policy’s
<allowed-origins>element. This means you cannot configure CORS headers dynamically for subdomains likehttps://*.example.com. The allowed origins must be explicitly listed with full domain names including scheme, host, and port. This limitation makes APIM less suitable for scenarios where dynamic or multiple subdomains such as testing clusters need CORS support without manually updating each origin.While APIM supports wildcard origins for CORS, this limitation should be carefully considered. If your scenario requires credentials, you should avoid using the generic wildcard and instead define specific origins or use a wildcard subdomain pattern.
It would be fair and helpful for this limitation to be explicitly mentioned in the official Azure API Management documentation to enhance transparency and help users plan their CORS policies accordingly.
For more details, see the official docs on APIM CORS policy
-
Sandhya Kommineni 245 Reputation points Microsoft External Staff Moderator
2025-08-28T09:00:31.92+00:00 Hi Ivo Bathke, following up to see if you have a chance to check my previous response and helped, do let me know if you have any further questions on this.
Sign in to comment
Sign in to answer