Safari + Hapi.js + CORS = 404

So with recent software updated on OS X (including newest Safari 9.0.1) and also updating a project to latest version of hapi.js(v11) CORS requests are broken.

It appears Safari now sends an Access-Control-Request-Headers value of “accept, origin, authorization”, while Hapi has a default configuration for CORS headers doesn’t include “origin”. Chrome meanwhile, was still working only sending “accept, authorization” for the header value.

The solution is to tell Hapi to also accept “origin” as a CORS request header value:

  port: process.env.PORT || 8081,
  routes: {
    cors: {
      additionalHeaders: [

There have been a few changes in configuration and handling of CORS in Hapi of late, so this may not be needed down the road if changes are made to the default configuration.

Filed under