CORS header is not included when rate limited
ryanccn opened this issue · comments
Ryan Cao commented
Describe the bug
When a client has exceeded the rate limit, the returned 429 Too Many Requests
response does not include an Access-Control-Allow-Origin
header, leading to the response being opaque to web applications.
Steps to reproduce
- Go over the rate limit
- Fetch any API route with the
Origin
header
Expected behavior
The CORS header should be included even on rate limited responses so that client applications can read the response.
Additional context
No response