From 9424facb8eb02ef50d3e511889f97f008cb2920c Mon Sep 17 00:00:00 2001
From: Tunay <121901995+Tuntii@users.noreply.github.com>
Date: Sun, 18 Jan 2026 00:11:48 +0300
Subject: [PATCH 1/2] Fix CORS preflight allow-headers for wildcard

---
 crates/rustapi-extras/src/cors/mod.rs | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/crates/rustapi-extras/src/cors/mod.rs b/crates/rustapi-extras/src/cors/mod.rs
index 9252bca..848a3a4 100644
--- a/crates/rustapi-extras/src/cors/mod.rs
+++ b/crates/rustapi-extras/src/cors/mod.rs
@@ -195,7 +195,16 @@ impl MiddlewareLayer for CorsLayer {
     ) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>> {
         let origins = self.origins.clone();
         let methods = self.methods_header_value();
-        let headers = self.headers_header_value();
+        let allow_headers = if self.headers.iter().any(|value| value == "*") {
+            req.headers()
+                .get(header::ACCESS_CONTROL_REQUEST_HEADERS)
+                .and_then(|value| value.to_str().ok())
+                .filter(|value| !value.trim().is_empty())
+                .map(str::to_string)
+                .unwrap_or_else(|| "*".to_string())
+        } else {
+            self.headers_header_value()
+        };
         let credentials = self.credentials;
         let max_age = self.max_age;
         let is_any_origin = matches!(origins, AllowedOrigins::Any);
@@ -256,7 +265,7 @@ impl MiddlewareLayer for CorsLayer {
                 // Set Allow-Headers
                 headers_mut.insert(
                     header::ACCESS_CONTROL_ALLOW_HEADERS,
-                    headers.parse().unwrap(),
+                    allow_headers.parse().unwrap(),
                 );
 
                 // Set Allow-Credentials

From d34d394725a7963205870c40fd7954047fa5d0f3 Mon Sep 17 00:00:00 2001
From: Tunay <121901995+Tuntii@users.noreply.github.com>
Date: Sun, 18 Jan 2026 03:09:33 +0300
Subject: [PATCH 2/2] Update crates/rustapi-extras/src/cors/mod.rs

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
---
 crates/rustapi-extras/src/cors/mod.rs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/crates/rustapi-extras/src/cors/mod.rs b/crates/rustapi-extras/src/cors/mod.rs
index 848a3a4..c8d6b26 100644
--- a/crates/rustapi-extras/src/cors/mod.rs
+++ b/crates/rustapi-extras/src/cors/mod.rs
@@ -195,7 +195,7 @@ impl MiddlewareLayer for CorsLayer {
     ) -> Pin<Box<dyn Future<Output = Response> + Send + 'static>> {
         let origins = self.origins.clone();
         let methods = self.methods_header_value();
-        let allow_headers = if self.headers.iter().any(|value| value == "*") {
+        let allow_headers = if self.headers.len() == 1 && self.headers.first().map(|value| value == "*").unwrap_or(false) {
             req.headers()
                 .get(header::ACCESS_CONTROL_REQUEST_HEADERS)
                 .and_then(|value| value.to_str().ok())