As covered in our article Does Cloudflare support Cross-origin resource sharing (CORS)? we offer support for CORS headers. Access-Control-Allow-Origin headers are often applied to cacheable content - font files, for example.
A web server will often respond with different Access-Control-* headers depending on the Origin header the browser sends in the request, and for that reason these requests are cached separately to each other.
If you have added or changed your CORS configuration on your web server, purging the Cloudflare cache by URL only will not show you the latest headers. To force Cloudflare to retrieve the new version of the file, you can do one of three things:
1. Change the filename or URL - this will bypass the cache and Cloudflare will retrieve the latest headers immediately.
2. Purge single file with CORS headers (API only) - You can purge the URL with our API using the single file purge call and adding the appropriate headers. See an example using cURL below:
curl -X DELETE "https://api.cloudflare.com/client/v4/zones/023e105f4ecef8ad9ca31a8372d0c353/purge_cache" \
-H "X-Auth-Email: email@example.com" \
-H "X-Auth-Key: c2547eb745079dac4190b638f5e225cf483cc5cfdda41" \
-H "Content-Type: application/json" \
The above assumes you are purging styles.css which is a regular file and then cat_picture.jpg which is a file that has CORS headers.
3. Purge everything and update the Last-Modified timestamp on your web server. Completing a full CDN purge will force Cloudflare to revalidate any items in its cache, but for this to get the new version of the file, you may need to update your server's last-modified time for the file. You can do this by running touch at the command line on the file e.g.
"touch yourfile.extension" or by re-uploading the file via your FTP client.
Details on Purge Everything is here: