CORS error when submitting form trigger

tomht · January 7, 2026, 10:47am

Describe the problem/error/question

My n8n instance is hosted on a local machine, with remote access via Cloudflare Zero Trust and Cloudflare tunnels (cloudflared Docker container on local machine). I have access to n8n via a subdomain of a custom domain name (n8n.XYZ.co.uk; actual domain hidden for security!)

I have a workflow which utilises an n8n form submission as a trigger. This has worked well, although I haven’t used it for approximately three to four months. On attempting to run the workflow today, I receive a CORS error in the browser console when attempting to submit the form. Nothing appears in the n8n log files. The Submit button sits spinning, and does not submit the form.

I can recreate this by creating a new workflow with only a simple n8n form input. The error persists on the test and production URL.

All of my other workflows appear to be working normally.

I have tried altering the CORS settings within Cloudflare Zero Trust, without success.

I am unsure if this is an issue with the n8n form submission or with Cloudflare. The origin ‘null’ may originate from n8n?

What is the error message (if any)?

Access to fetch at ‘https://XYZ.cloudflareaccess.com/cdn-cgi/access/login/n8n.XYZ.co.uk?kid=5413e49d73c3a…’ (redirected from ‘https://n8n.XYZ.co.uk/form-test/76c6ef77-2630-4ceb-84b2-f5e189a38686’) from origin ‘null’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Information on your n8n setup

n8n version: 2.2.4
Database (default: SQLite): Default
n8n EXECUTIONS_PROCESS setting (default: own, main): Default
Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
Operating system: Self-hosted Docker

hoiyothaheem · January 7, 2026, 2:49pm

This is a Cloudflare Zero Trust authentication conflict with n8n form triggers. The error shows the form is being redirected to Cloudflare Access login, which causes the CORS issue because the origin becomes ‘null’ during form submission.

Root Cause

Cloudflare Zero Trust is intercepting the form POST request and requiring authentication, but n8n forms submit as cross-origin requests which triggers CORS protection. This worked before because Cloudflare likely changed authentication requirements or the form URL wasn’t properly bypassed.

Solution: Bypass Cloudflare Access for Form Webhooks

You need to create a Cloudflare Access Policy that bypasses authentication for n8n form endpoints:

Step 1: Create Bypass Rule in Cloudflare Zero Trust

Go to Cloudflare Zero Trust Dashboard
Navigate to Access → Applications
Find your n8n application (n8n.XYZ.co.uk)
Click Edit → Policies
Add a new policy:
- Policy name: “Bypass n8n Form Webhooks”
- Action: Bypass
- Rule: Create with these settings:
  - Selector: “Path”
  - Value: /form/* and /form-test/*
  - Or use regex: ^/form(-test)?/.*

Step 2: Alternative - Use Webhook Trigger Instead

If you can’t bypass Access policies, use a regular Webhook trigger instead of Form trigger:

Replace Form Trigger with Webhook Trigger
Create your own HTML form that POSTs to the webhook URL
The webhook doesn’t have the same CORS restrictions

Step 3: Verify CORS Headers in Cloudflare

In Cloudflare Zero Trust → Settings → CORS:

Allowed Origins: Add null or * (for testing)
Allowed Methods: Include POST, OPTIONS
Allow Credentials: Enable

Quick Fix to Test

Temporarily disable Cloudflare Access for the specific form path:

Path: /form-test/*
Action: Bypass
Session Duration: N/A

This should immediately resolve your CORS error.

Why This Happened Now

After 3-4 months:

Cloudflare Access session expired
Cloudflare updated Zero Trust authentication flow
Form URL structure changed in n8n update

I’ve configured this exact setup (n8n behind Cloudflare tunnels) for multiple production environments. The key is ensuring form/webhook endpoints bypass Access authentication since they’re meant for public submissions.

Let me know if you need help with the specific Cloudflare Access policy configuration!

deleted · January 30, 2026, 10:15am

Hi tomht,

I’m having the exact same problem, this is due to the recent changes where the form is sandboxed. The behaviour prevents cookies from being sent with the request, causing CloudFlare Zero Trust to redirect you to the login page.

With all the recent vulns that have been disclosed around N8N, I wasn’t keen to bypass auth on any part of N8N. As I am the only user of my instance, I don’t have a need to open up access , so while the solution from hoiyothaheem will work, it is not ideal.

The workaround posted here Form workflow stuck on waiting page after upgrade - CORS error with 'origin: null' which is for nginx can be applied to CloudFlare:

Login to CloudFlare and select the domain you are using XYZ.co.uk
Go to Rules on the left
- Create Rule → Transform requests or responses → Response Header Transform Rule
Fill out the form:

Rule name: Give the rule a name, something like N8N Forms Fix
If incoming requests match…. Custom filter expression
When incoming requests match…
- Field: URI Path, Operator: Contains, Value: /form
- Click AND
- Field: Hostname, Operator: Equals: Value: n8n.xyz.co.uk
Then… Add Static
Header name: Content-Security-Policy, Value: sandbox allow-downloads allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation
Click Deploy

I would only do this if your instance is completely behind CloudFlare SSO.

Mtrl_Scientist · February 24, 2026, 3:44pm

Facing the same issue on the latest version (2.9.2). Don’t like the option of bypassing Cloudflare Zero Trust or using webhooks.

There must be a better way…

Alexey_Kharchikov · February 24, 2026, 5:20pm

@Mtrl_Scientist The root cause is n8n’s form submission uses fetch() from within the form page itself, and when Cloudflare Zero Trust intercepts it (even on 2.9.x), it redirects to the CF Access login page — which has a different origin, causing the null origin CORS error.

Here’s a cleaner fix that doesn’t require bypassing Zero Trust entirely:

Option 1: n8n env variable N8N_CORS_ALLOWED_ORIGINS

In your Docker Compose, add:

environment:
  - N8N_CORS_ALLOWED_ORIGINS=https://n8n.yourdomain.com
  - N8N_CORS_ALLOW_CREDENTIALS=true

This tells n8n to explicitly set Access-Control-Allow-Origin headers on form responses, which helps in some setups.

Option 2: Cloudflare WAF rule to exclude form paths from Access (less invasive than full bypass)

Instead of disabling auth globally, create a Service Token in Cloudflare Zero Trust and attach it only to the bypass rule for /form/* paths. This means the form endpoint is technically “open” but only from known CF edge IP ranges, not the public internet.

Option 3: The real fix for Cloudflare + n8n forms (tested on 2.8+)

The issue is that Cloudflare Zero Trust sends a 302 redirect during the AJAX POST from the form. The proper fix is to set a Cloudflare Access cookie exception by enabling “Allow on all subdomains” for your Access application and configuring the Application Session Duration properly, so existing browser sessions are not re-challenged on AJAX requests.

In Zero Trust → Access → your n8n app:

Set Session Duration to something like 24h or 1 week
Enable “Skip identity provider selection” if you use SSO
Make sure the cookie domain matches yourdomain.com (not just n8n.yourdomain.com) to avoid cross-subdomain auth loops

This approach keeps the security intact while preventing Cloudflare from re-challenging the already-authenticated session on form AJAX requests.

Mtrl_Scientist · February 25, 2026, 7:46pm

What worked for me was to set traefik tags to this:
tags = [ "traefik.http.middlewares.n8n-csp.headers.customResponseHeaders.Content-Security-Policy=sandbox allow-downloads allow-forms allow-modals allow-popups allow-scripts allow-same-origin allow-top-navigation-by-user-activation", "traefik.http.routers.n8n.middlewares=n8n-csp" ]

Based on this post.