Is it possible to make a preflight OPTIONS request with .NET HttpClient to perform integration test against Rest API's to test CORs behavior?

I am in the process of writing integration tests that verify our Rest APIs CORs behavior. The test solution is written against .NET Framework and we are using HttpClient to perform all of our requests. I do understand that CORs preflight request is sent by the browser by adding Origin, Access-Control-Request-Method and Access-Control-Request-Headers headers and the returned response should contain something like akin to this:

Set-Cookie: cookie-from-server=noop Content-Length: 0 Content-Type: application/json Access-Control-Allow-Origin: https://www.test-cors.org Cache-Control: no-cache 

The Rest API is configured with CORs that allows any origin * and allows any method *.

With the above mentioned the response from the Rest API should include the Access-Control-Allow-Origin header. However, the way I construct my request I am able to perform the request:

testCaseData.Headers.Add("Origin", "http://localhost:8008"); testCaseData.Headers.Add("Access-Control-Request-Method", "POST"); testCaseData.Headers.Add("Access-Control-Request-Headers", "origin content-type accept" ); testCaseData.HttpMethod = HttpMethod.Options; 

This seems to always work, however the response headers that are returned, always just mirror the headers I set:

"Origin", "http://localhost:8008" "Access-Control-Request-Method", "POST" "Access-Control-Request-Headers", "origin content-type accept" 

I was expecting to see Access-Control-Allow-Origin which would allow me to Assert that if CORs is correctly enabled those headers should be included in the response.

Any ideas how I write an integration test to test this behavior without a client, with simply .NET http client?

Add Comment
0 Answer(s)

Your Answer

By posting your answer, you agree to the privacy policy and terms of service.