Hello everyone,
I’m facing an issue related to CORS implementation on MikroTik’s Hotspot server. I have set up an external captive portal for my network, which requires handling OPTIONS requests due to preflight checks that browsers perform when making requests from a different origin (CORS).
My current Hotspot configuration includes using the template to set CORS headers:
$(if http-header == "Access-Control-Allow-Origin")https://myexternalwebapp.com$(endif)
$(if http-header == "Access-Control-Allow-Methods")GET, POST, OPTIONS$(endif)
$(if http-header == "Access-Control-Allow-Headers")Content-Type, Authorization$(endif)
The main issue is that the Hotspot server seems to only respond to GET and POST requests, while OPTIONS requests are not handled correctly, causing CORS errors in the browser because the preflight check cannot be completed successfully. I tried adding a rule in the Walled Garden to allow OPTIONS requests without redirection:
/ip hotspot walled-garden
add dst-host=mylocalhotspot.com method=OPTIONS
Additionally, I tested sending an OPTIONS request directly using Postman to bypass the browser’s CORS restriction, but I received a 503 Error: unknown method, which seems to indicate that the Hotspot does not properly handle the OPTIONS method.
Positive Point:
It’s worth noting that the MikroTik Hotspot server handles CORS headers very well for the methods that are already implemented, such as GET and POST. The main requests using these methods respond correctly with the expected CORS headers, which is a positive aspect for web integration.
Suggestion for Improvement:
I would also like to suggest improving the compatibility of MikroTik’s Hotspot server to work better in modern environments that require REST APIs. In many cases, current applications, especially in the context of captive portals, rely on REST interfaces for authentication and other operations. This involves using methods such as OPTIONS, PUT, PATCH, and DELETE, which do not seem to be fully supported by the Hotspot in its current state.
It would be very helpful if the MikroTik Hotspot could handle these HTTP methods and preflight CORS requests more effectively, allowing smoother integration with web applications and external captive portals that function as REST APIs. This would open up new possibilities for using MikroTik in more advanced web development scenarios.
Are there any plans to improve support for additional HTTP methods and CORS handling in future RouterOS versions? Any guidance or suggestions on this topic would be greatly appreciated.
Thank you in advance for any help or feedback.
Additional Information:
RouterOS version: 7.8
Using an external captive portal
Tests with Postman resulted in a 503 Error: unknown method
Walled Garden rule added to allow OPTIONS
The server correctly handles CORS for GET and POST methods
