CORS headers not present on /api/healthz #10202

New Issue

Closed

opened 2025-11-02 09:00:55 -06:00 by GiteaMirror · 5 comments

GiteaMirror commented 2025-11-02 09:00:55 -06:00

Owner

Copy Link

Originally created by @Zokhoi on GitHub (Feb 1, 2023).

Description

I have a homer dashboard on another subdomain to check the health status of my self hosted services, and have found that with correct settings in my app.ini:

[cors]
ENABLED = true
ALLOW_DOMAIN = *
SCHEME = http
ALLOW_CREDENTIALS = true

the endpoint /api/v1/version respond with the correct CORS headers, while /api/healthz does not. The endpoints are requested without user authentication, so I have only checked these.

This behavior is reproduced at https://gitea.com, but https://try.gitea.io does not respond with CORS headers at all. Not sure if they have the CORS config set.

For reference, here is the relevant part of my homer config:

services:
  ...
  - name: "Gitea"
    icon: "fab fa-git-alt"
    url: "https://gitea.com"
    target: "_blank"
    type: Ping
    method: GET
    endpoint: "https://gitea.com/api/healthz"
    # endpoint: "https://gitea.com/api/v1/version"

Gitea Version

1.18.3

Can you reproduce the bug on the Gitea demo site?

Yes

Log Gist

No response

Screenshots

No response

Git Version

No response

Operating System

Ubuntu Server 22.04

How are you running Gitea?

official binary from https://dl.gitea.io, as service with systemd

Database

PostgreSQL

Originally created by @Zokhoi on GitHub (Feb 1, 2023). ### Description I have a [homer](https://github.com/bastienwirtz/homer) dashboard on another subdomain to check the health status of my self hosted services, and have found that with correct settings in my `app.ini`: ```ini [cors] ENABLED = true ALLOW_DOMAIN = * SCHEME = http ALLOW_CREDENTIALS = true ``` the endpoint `/api/v1/version` respond with the correct CORS headers, while `/api/healthz` does not. The endpoints are requested without user authentication, so I have only checked these. This behavior is reproduced at https://gitea.com, but https://try.gitea.io does not respond with CORS headers at all. Not sure if they have the CORS config set. For reference, here is the relevant part of my homer config: ```yaml services: ... - name: "Gitea" icon: "fab fa-git-alt" url: "https://gitea.com" target: "_blank" type: Ping method: GET endpoint: "https://gitea.com/api/healthz" # endpoint: "https://gitea.com/api/v1/version" ``` ### Gitea Version 1.18.3 ### Can you reproduce the bug on the Gitea demo site? Yes ### Log Gist _No response_ ### Screenshots _No response_ ### Git Version _No response_ ### Operating System Ubuntu Server 22.04 ### How are you running Gitea? official binary from https://dl.gitea.io, as service with systemd ### Database PostgreSQL

GiteaMirror added the type/bugissue/not-a-bug labels 2025-11-02 09:00:55 -06:00

GiteaMirror closed this issue 2025-11-02 09:00:55 -06:00

GiteaMirror commented 2025-11-02 09:00:56 -06:00

Author

Owner

Copy Link

@zeripath commented on GitHub (Feb 1, 2023):

But I don't understand why you want CORS headers on this endpoint. What would be the point?

@zeripath commented on GitHub (Feb 1, 2023): But I don't understand why you want CORS headers on this endpoint. What would be the point?

GiteaMirror commented 2025-11-02 09:00:56 -06:00

Author

Owner

Copy Link

@delvh commented on GitHub (Feb 1, 2023):

CORS specifies where resources might be loaded from.
I don't even know why API requests should receive CORS headers at all.
They only return JSON, so there's nothing to load from somewhere else?
Or am I missing something fundamental?

@delvh commented on GitHub (Feb 1, 2023): CORS specifies where resources might be loaded from. I don't even know why API requests should receive CORS headers at all. They only return JSON, so there's nothing to load from somewhere else? Or am I missing something fundamental?

GiteaMirror commented 2025-11-02 09:00:56 -06:00

Author

Owner

Copy Link

@Zokhoi commented on GitHub (Feb 2, 2023):

Well I have homer and gitea on different subdomains. I would argue the health check endpoint should make more sense to have CORS than the actual api endpoints, as there are quite a lot of sites that report on uptime statuses of services on different domains/subdomains, or even third party ones.

@Zokhoi commented on GitHub (Feb 2, 2023): Well I have homer and gitea on different subdomains. I would argue the health check endpoint should make more sense to have CORS than the actual api endpoints, as there are quite a lot of sites that report on uptime statuses of services on different domains/subdomains, or even third party ones.

GiteaMirror commented 2025-11-02 09:00:56 -06:00

Author

Owner

Copy Link

@yardenshoham commented on GitHub (Feb 2, 2023):

See discussion in #22720

@yardenshoham commented on GitHub (Feb 2, 2023): See discussion in #22720

GiteaMirror commented 2025-11-02 09:00:57 -06:00

Author

Owner

Copy Link

@Zokhoi commented on GitHub (Feb 2, 2023):

Alright then

@Zokhoi commented on GitHub (Feb 2, 2023): Alright then

Sign in to join this conversation.

No Branch/Tag Specified

Branches Tags

main

release/v1.25

release/v1.24

release/v1.23

release/v1.22

release/v1.21

release/v1.20

release/v1.19

release/v1.18

release/v1.17

release/v1.16

release/v1.15

release/v1.14

release/v1.13

release/v1.12

release/v1.11

release/v1.10

release/v1.9

release/v1.8

v1.25.3

v1.25.2

v1.25.1

v1.25.0

v1.24.7

v1.25.0-rc0

v1.26.0-dev

v1.24.6

v1.24.5

v1.24.4

v1.24.3

v1.24.2

v1.24.1

v1.24.0

v1.23.8

v1.24.0-rc0

v1.25.0-dev

v1.23.7

v1.23.6

v1.23.5

v1.23.4

v1.23.3

v1.23.2

v1.23.1

v1.23.0

v1.23.0-rc0

v1.24.0-dev

v1.22.6

v1.22.5

v1.22.4

v1.22.3

v1.22.2

v1.22.1

v1.22.0

v1.23.0-dev

v1.22.0-rc1

v1.21.11

v1.22.0-rc0

v1.21.10

v1.21.9

v1.21.8

v1.21.7

v1.21.6

v1.21.5

v1.21.4

v1.21.3

v1.21.2

v1.20.6

v1.21.1

v1.21.0

v1.21.0-rc2

v1.21.0-rc1

v1.20.5

v1.22.0-dev

v1.21.0-rc0

v1.20.4

v1.20.3

v1.20.2

v1.20.1

v1.20.0

v1.19.4

v1.21.0-dev

v1.20.0-rc2

v1.20.0-rc1

v1.20.0-rc0

v1.19.3

v1.19.2

v1.19.1

v1.19.0

v1.19.0-rc1

v1.20.0-dev

v1.19.0-rc0

v1.18.5

v1.18.4

v1.18.3

v1.18.2

v1.18.1

v1.18.0

v1.17.4

v1.18.0-rc1

v1.19.0-dev

v1.18.0-rc0

v1.17.3

v1.17.2

v1.17.1

v1.17.0

v1.17.0-rc2

v1.16.9

v1.17.0-rc1

v1.18.0-dev

v1.16.8

v1.16.7

v1.16.6

v1.16.5

v1.16.4

v1.16.3

v1.16.2

v1.16.1

v1.16.0

v1.15.11

v1.17.0-dev

v1.16.0-rc1

v1.15.10

v1.15.9

v1.15.8

v1.15.7

v1.15.6

v1.15.5

v1.15.4

v1.15.3

v1.15.2

v1.15.1

v1.14.7

v1.15.0

v1.15.0-rc3

v1.14.6

v1.15.0-rc2

v1.14.5

v1.16.0-dev

v1.15.0-rc1

v1.14.4

v1.14.3

v1.14.2

v1.14.1

v1.14.0

v1.13.7

v1.14.0-rc2

v1.13.6

v1.13.5

v1.14.0-rc1

v1.15.0-dev

v1.13.4

v1.13.3

v1.13.2

v1.13.1

v1.13.0

v1.12.6

v1.13.0-rc2

v1.14.0-dev

v1.13.0-rc1

v1.12.5

v1.12.4

v1.12.3

v1.12.2

v1.12.1

v1.11.8

v1.12.0

v1.11.7

v1.12.0-rc2

v1.11.6

v1.12.0-rc1

v1.13.0-dev

v1.11.5

v1.11.4

v1.11.3

v1.10.6

v1.12.0-dev

v1.11.2

v1.10.5

v1.11.1

v1.10.4

v1.11.0

v1.11.0-rc2

v1.10.3

v1.11.0-rc1

v1.10.2

v1.10.1

v1.10.0

v1.9.6

v1.9.5

v1.10.0-rc2

v1.11.0-dev

v1.10.0-rc1

v1.9.4

v1.9.3

v1.9.2

v1.9.1

v1.9.0

v1.9.0-rc2

v1.10.0-dev

v1.9.0-rc1

v1.8.3

v1.8.2

v1.8.1

v1.8.0

v1.8.0-rc3

v1.7.6

v1.8.0-rc2

v1.7.5

v1.8.0-rc1

v1.9.0-dev

v1.7.4

v1.7.3

v1.7.2

v1.7.1

v1.7.0

v1.7.0-rc3

v1.6.4

v1.7.0-rc2

v1.6.3

v1.7.0-rc1

v1.7.0-dev

v1.6.2

v1.6.1

v1.6.0

v1.6.0-rc2

v1.5.3

v1.6.0-rc1

v1.6.0-dev

v1.5.2

v1.5.1

v1.5.0

v1.5.0-rc2

v1.5.0-rc1

v1.5.0-dev

v1.4.3

v1.4.2

v1.4.1

v1.4.0

v1.4.0-rc3

v1.4.0-rc2

v1.3.3

v1.4.0-rc1

v1.3.2

v1.3.1

v1.3.0

v1.3.0-rc2

v1.3.0-rc1

v1.2.3

v1.2.2

v1.2.1

v1.2.0

v1.2.0-rc3

v1.2.0-rc2

v1.1.4

v1.2.0-rc1

v1.1.3

v1.1.2

v1.1.1

v1.1.0

v1.0.2

v1.0.1

v1.0.0

v0.9.99

Labels

Clear labels

$20

$250

$50

$500

backport/done

💎 Bounty

docs-update-needed

good first issue

hacktoberfest

issue/bounty

issue/confirmed

issue/critical

issue/duplicate

issue/needs-feedback

issue/not-a-bug

issue/regression

issue/stale

issue/workaround

lgtm/need 2

modifies/api

modifies/translation

outdated/backport/v1.18

outdated/theme/markdown

outdated/theme/timetracker

performance/bigrepo

performance/cpu

performance/memory

performance/speed

pr/breaking

proposal/accepted

proposal/rejected

pr/wip

pull-request

Mirrored from GitHub Pull Request

reviewed/wontfix

💰 Rewarded

skip-changelog

status/blocked

topic/accessibility

topic/api

topic/authentication

topic/build

topic/code-linting

topic/commit-signing

topic/content-rendering

topic/deployment

topic/distribution

topic/federation

topic/gitea-actions

topic/issues

topic/lfs

topic/mobile

topic/moderation

topic/packages

topic/pr

topic/projects

topic/repo

topic/repo-migration

topic/security

topic/theme

topic/ui

topic/ui-interaction

topic/ux

topic/webhooks

topic/wiki

type/bug

type/deprecation

type/docs

type/enhancement

type/feature

type/miscellaneous

type/proposal

type/question

type/refactoring

type/summary

type/testing

type/upstream

No Label issue/not-a-bug type/bug

Milestone

No items

No Milestone

Projects

Clear projects

No project

Assignees

Clear assignees

GiteaMirror ninjasurge

No Assignees

1 Participants

Notifications

Subscribe

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github-starred/gitea#10202