CORS headers missing from 429 response

When the ratelimit is reached, the 429 response is sent without the access-control-allow-origin header, thus preventing a browser application from reading the response and its status code.

Specifically, on the GET /company/{companyNumber} endpoint.

Is the team aware of this? Can I get a response please to indicate the status of this issue?

Bump. Is there a better way of getting a response from the devs on this one? I’ve confirmed this issue is still in production.

So sorry for the delay in updating you all.
Yes, we can now confirm there is an issue with the CORS headers not being included when a 429 response is returned.
Allocation of this work is currently being looked at.

The work to fix this has been given the go ahead. I will update here when that has been completed and deployed to the live service.

1 Like

UPDATE: This fix is now in progress and hopefully going into test in the next couple of weeks.