zowe · balhar-jakub · Mar 20, 2026 · Mar 20, 2026 · Mar 31, 2026
diff --git a/cloud-gateway-service/src/main/resources/application.yml b/cloud-gateway-service/src/main/resources/application.yml
@@ -41,7 +41,7 @@ apiml:
         forwardClientCertEnabled: false
         hostname: localhost
         id: ${spring.application.name}
-        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Access-Control-Allow-Origin,Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Credentials,Origin
+        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Origin
         port: 10023
         scheme: https  # "https" or "http"
     security:

diff --git a/cloud-gateway-service/src/test/resources/application.yml b/cloud-gateway-service/src/test/resources/application.yml
@@ -11,7 +11,7 @@ apiml:
         hostname: localhost
         scheme: https
         corsEnabled: true
-        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Access-Control-Allow-Origin,Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Credentials,Origin
+        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Origin
     cloudGateway:
         serviceRegistryEnabled: false
         forwardClientCertEnabled: false

diff --git a/gateway-service/src/main/resources/application.yml b/gateway-service/src/main/resources/application.yml
@@ -48,7 +48,7 @@ apiml:
         ipAddress: 127.0.0.1  # IP address that is advertised in Eureka. Default is valid only for localhost
         scheme: https  # "https" or "http"
         preferIpAddress: false
-        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Access-Control-Allow-Origin,Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Credentials,Origin
+        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Origin
         additionalRegistration: # List of additional Apiml Discovery Services metadata to register with
 
     httpclient:

diff --git a/gateway-service/src/test/java/org/zowe/apiml/gateway/security/config/CorsBeanTest.java b/gateway-service/src/test/java/org/zowe/apiml/gateway/security/config/CorsBeanTest.java
@@ -26,7 +26,9 @@
 
 import java.lang.reflect.Field;
 import java.net.URISyntaxException;
+import java.util.Arrays;
 import java.util.List;
+import java.util.Set;
 
 import static org.junit.jupiter.api.Assertions.assertEquals;
 import static org.junit.jupiter.api.Assertions.assertTrue;
@@ -39,6 +41,43 @@ class CorsBeanTest {
     @Mock
     private Environment environment;
 
+    @Nested
+    class GivenIgnoredHeadersConfiguration {
+
+        private static final String IGNORED_HEADERS = "Access-Control-Request-Method,Access-Control-Request-Headers,Origin";
+
+        @Test
+        void whenCorsEnabled_thenIgnoredHeadersDoNotContainResponseHeaders() {
+            Set<String> ignoredHeaders = Set.of(IGNORED_HEADERS.split(","));
+
+            List<String> corsResponseHeaders = Arrays.asList(
+                "Access-Control-Allow-Origin",
+                "Access-Control-Allow-Methods",
+                "Access-Control-Allow-Headers",
+                "Access-Control-Allow-Credentials"
+            );
+
+            for (String responseHeader : corsResponseHeaders) {
+                assertTrue(
+                    !ignoredHeaders.contains(responseHeader),
+                    "CORS response header '" + responseHeader + "' must not be in ignoredHeadersWhenCorsEnabled. " +
+                    "Zuul strips ignored headers from both requests and responses, so including response headers " +
+                    "causes the browser to never receive CORS headers."
+                );
+            }
+        }
+
+        @Test
+        void whenCorsEnabled_thenIgnoredHeadersContainOnlyRequestHeaders() {
+            Set<String> ignoredHeaders = Set.of(IGNORED_HEADERS.split(","));
+
+            assertTrue(ignoredHeaders.contains("Origin"), "Origin request header should be stripped before forwarding");
+            assertTrue(ignoredHeaders.contains("Access-Control-Request-Method"), "Access-Control-Request-Method should be stripped");
+            assertTrue(ignoredHeaders.contains("Access-Control-Request-Headers"), "Access-Control-Request-Headers should be stripped");
+            assertEquals(3, ignoredHeaders.size(), "Only request-side CORS headers should be in the ignored list");
+        }
+    }
+
     @Nested
     class GivenATTLSIsEnabled {
 

diff --git a/gateway-service/src/test/resources/application.yml b/gateway-service/src/test/resources/application.yml
@@ -15,7 +15,7 @@ apiml:
         preferIpAddress: false
         allowEncodedSlashes: true
         discoveryServiceUrls: https://localhost:10011/eureka/
-        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Access-Control-Allow-Origin,Access-Control-Allow-Methods,Access-Control-Allow-Headers,Access-Control-Allow-Credentials,Origin
+        ignoredHeadersWhenCorsEnabled: Access-Control-Request-Method,Access-Control-Request-Headers,Origin
         additionalRegistration: # List of additional Apiml Discovery Services metadata to register with
     loadBalancer:
         distribute: false