On Windows Server 2022 I have an API that is based on Julia. Everything works fine except CORS handling. I have the following code:

using Oxygen
using HTTP

...

function CorsMiddleware(handler)
    return function(req::HTTP.Request)
        println("CORS middleware")
        
        # Log the request headers
        println("Request Headers -> ", req.headers)
        
        # Handle preflight requests (OPTIONS)
        if HTTP.method(req) == "OPTIONS"
            return HTTP.Response(200, "Preflight response")
        else
            try
                # Call the next handler
                res = handler(req)
                
                # Log the response body
                println("CorsMiddleware: Response Body -> ", res.body)
                
                # Return a basic response without headers
                return HTTP.Response(res.status, res.body)
            catch e
                println("Error in CorsMiddleware when calling handler(req): ", e)
                return HTTP.Response(500, "Internal Server Error")
            end
        end
    end
end

function AuthMiddleware(handler)
    return function(req::HTTP.Messages.Request)
        println("Auth middleware")
        
        try
            # Call the next handler
            res = handler(req)
            
            # Log the response body
            println("AuthMiddleware: Response Body -> ", res.body)
            
            # Return a basic response without any headers
            return HTTP.Response(res.status, res.body)
        catch e
            println("Error in AuthMiddleware when calling handler(req): ", e)
            return HTTP.Response(500, "Internal Server Error")
        end
    end
end

...

serve(port=4091, middleware=[CorsMiddleware, AuthMiddleware])

I added the println statements to see why things don’t work. This is the output:

CORS middleware
Request Headers -> Pair{SubString{String}, 
SubString{String}}["Host" => "localhost:4091", 
"User-Agent" => "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:131.0) Gecko/20100101 Firefox/131.0", "Accept" => "*/*", 
"Accept-Language" => "en-US,en;q=0.5", 
"Accept-Encoding" => "gzip, deflate, br, zstd", 
"Content-Type" => "text/plain", "Content-Length" => "22", 
"Origin" => "https://viewer.trexyz.net", 
"Connection" => "keep-alive", 
"Sec-Fetch-Dest" => "empty", 
"Sec-Fetch-Mode" => "cors", 
"Sec-Fetch-Site" => "cross-site", 
"Priority" => "u=4"]

Auth middleware
AuthMiddleware: Response Body -> UInt8[0x5b, 0x22, 0x4d, 0x69, 0x6c, 0x6c, 0x73, 0x5f, 0x32, 0x22, 0x2c, 0x22, 0x4b, 0x69, 0x70, 0x70, 0x65, 0x6e, 0x5f, 0x42, 0x22, 0x2c, 0x22, 0x4b, 0x69, 0x70, 0x70, 0x65, 0x6e, 0x5f, 0x41, 0x22, 0x5d]
Error in AuthMiddleware when calling handler(req): ArgumentError("invalid header key-value pair: 91")
CorsMiddleware: Response Body -> UInt8[0x49, 0x6e, 0x74, 0x65, 0x72, 0x6e, 0x61, 0x6c, 0x20, 0x53, 0x65, 0x72, 0x76, 0x65, 0x72, 0x20, 0x45, 0x72, 0x72, 0x6f, 0x72]
Error in CorsMiddleware when calling handler(req): ArgumentError("invalid header key-value pair: 73")

The invalid header errors keep coming, no matter what I try – like stricter header handling, and using hardcoded headers. Even a completely stripped test like this gives a 500 error:

using HTTP

function simple_handler(req::HTTP.Request)
    println("Simple handler")
    
    # Create a basic response body
    response_body = "{"message": "Hello, world!"}"
    
    # Return a basic response without headers
    return HTTP.Response(200, response_body)

Does anyone have any idea what’s going wrong here?