CORS error when submitting form trigger

Describe the problem/error/question

My n8n instance is hosted on a local machine, with remote access via Cloudflare Zero Trust and Cloudflare tunnels (cloudflared Docker container on local machine). I have access to n8n via a subdomain of a custom domain name (n8n.XYZ.co.uk; actual domain hidden for security!)

I have a workflow which utilises an n8n form submission as a trigger. This has worked well, although I haven’t used it for approximately three to four months. On attempting to run the workflow today, I receive a CORS error in the browser console when attempting to submit the form. Nothing appears in the n8n log files. The Submit button sits spinning, and does not submit the form.

I can recreate this by creating a new workflow with only a simple n8n form input. The error persists on the test and production URL.

All of my other workflows appear to be working normally.

I have tried altering the CORS settings within Cloudflare Zero Trust, without success.

I am unsure if this is an issue with the n8n form submission or with Cloudflare. The origin ‘null’ may originate from n8n?

What is the error message (if any)?

Access to fetch at ‘https://XYZ.cloudflareaccess.com/cdn-cgi/access/login/n8n.XYZ.co.uk?kid=5413e49d73c3a…’ (redirected from ‘https://n8n.XYZ.co.uk/form-test/76c6ef77-2630-4ceb-84b2-f5e189a38686’) from origin ‘null’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

Information on your n8n setup

• n8n version: 2.2.4
• Database (default: SQLite): Default
• n8n EXECUTIONS_PROCESS setting (default: own, main): Default
• Running n8n via (Docker, npm, n8n cloud, desktop app): Docker
• Operating system: Self-hosted Docker

This is a Cloudflare Zero Trust authentication conflict with n8n form triggers. The error shows the form is being redirected to Cloudflare Access login, which causes the CORS issue because the origin becomes ‘null’ during form submission.

Root Cause

Cloudflare Zero Trust is intercepting the form POST request and requiring authentication, but n8n forms submit as cross-origin requests which triggers CORS protection. This worked before because Cloudflare likely changed authentication requirements or the form URL wasn’t properly bypassed.

Solution: Bypass Cloudflare Access for Form Webhooks

You need to create a Cloudflare Access Policy that bypasses authentication for n8n form endpoints:

Step 1: Create Bypass Rule in Cloudflare Zero Trust

1. Go to Cloudflare Zero Trust Dashboard
2. Navigate to Access → Applications
3. Find your n8n application (n8n.XYZ.co.uk)
4. Click Edit → Policies
5. Add a new policy:
   • Policy name: “Bypass n8n Form Webhooks”
   • Action: Bypass
   • Rule: Create with these settings:
     • Selector: “Path”
     • Value: /form/* and /form-test/*
     • Or use regex: ^/form(-test)?/.*

Step 2: Alternative - Use Webhook Trigger Instead

If you can’t bypass Access policies, use a regular Webhook trigger instead of Form trigger:

1. Replace Form Trigger with Webhook Trigger
2. Create your own HTML form that POSTs to the webhook URL
3. The webhook doesn’t have the same CORS restrictions

Step 3: Verify CORS Headers in Cloudflare

In Cloudflare Zero Trust → Settings → CORS:

• Allowed Origins: Add null or * (for testing)
• Allowed Methods: Include POST, OPTIONS
• Allow Credentials: Enable

Quick Fix to Test

Temporarily disable Cloudflare Access for the specific form path:

Path: /form-test/*
Action: Bypass
Session Duration: N/A

This should immediately resolve your CORS error.

Why This Happened Now

After 3-4 months:

• Cloudflare Access session expired
• Cloudflare updated Zero Trust authentication flow
• Form URL structure changed in n8n update

I’ve configured this exact setup (n8n behind Cloudflare tunnels) for multiple production environments. The key is ensuring form/webhook endpoints bypass Access authentication since they’re meant for public submissions.

Let me know if you need help with the specific Cloudflare Access policy configuration!