How to Get CORS to use HTTP 304 instead of HTTP 200 responses


It is unclear whether my RESTful CORS responses are ever retrieved from the cache. They all had the 200 status code but never 304; even though there is no change in the request, the response, and the If-None-Match and Etag headers.

The response headers are as follows:

Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Cache-Control: no-cache
Pragma: no-cache
Vary: Cookie, Origin

While the preflight requests are no longer invoked on a per-request basis, all other XHR calls are returning 200 HTTP response.

This problem only happens for cross-origin requests.

Following is a redacted excerpt:

import express from 'express';
import cors from 'cors';

const server = express();
    .set( 'etag', 'strong' )
    .use( cors({
        credentials: true,
        maxAge: 86400,
        origin: ''
    }) )
    .use(( req, res, next ) => {
        res.setHeader( 'Cache-Control', 'no-cache' );
        res.setHeader( 'Pragma', 'no-cache' );
        res.setHeader( 'Vary', `Cookie, ${ res.get( 'Vary' ) }` );


Seems to be a known issue of Chrome.

When processing a conditional request where the response matches the ETag, express sets status 304 and returns an empty payload, see here. You can verify this with

> curl -v -H "If-None-Match:..." http://server/path
< HTTP/1.1 304 Not Modified
< X-Powered-By: Express
< Access-Control-Allow-Origin: *
< Cache-Control: no-cache
< ETag: "..."

This server behavior is independent of whether the request is cross-origin or not.

When the Chrome browser receives this response, it takes the payload from its cache and displays it in the network trace, together with status 304. However, in case of a cross-origin request, it displays status 200 instead. But this is an artifact of the browser alone, and has got nothing to do with the server.

Answered By – Heiko Theißen

This Answer collected from stackoverflow, is licensed under cc by-sa 2.5 , cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply

(*) Required, Your email will not be published