CORS and request headers: 405 when adding a additional header


so recently I’ve been having troubles with the angular $resource.

Everything works fine until I add an aditional header "Authorization" to $http.defaults.headers.common (which is the auth token). I get an error from the server with 405 Method not allowed.

As server I am using restify with CORS enabled. As said, CORS and everything works fine util I add this very header to all of my API calls, my server rejects it.

Do you guys have any idea what is going wrong? Do I have to change something on the server to make it work?

Where I add the auth token as “Authorization” to the default headers in app.js

.run(function($localStorage, $http) {
  if ($localStorage.token != null) {
    return $http.defaults.headers.common["Authorization"] = $localStorage.token;

The factory which is causing the trouble

.factory("School", function($_resource) {
  return $_resource(baseApiUrl+"/api/schools");

The modified $resource, also has code parts from other factories, but ignore them if they are not relevant to the School factory.

.factory("$_resource", function($resource, $http, $localStorage) {
  return function(url, params, methods) {
    var defaults, resource;
    defaults = {
      update: {
        method: "put",
        isArray: false,
        params: {
          id: "@id"
      create: {
        method: "post"
    methods = angular.extend(defaults, methods);
    resource = $resource(url, params, methods);
    resource.prototype.$save = function() {
      var args;
      args = 1 <= arguments.length ?, 0) : [];
      if (! {
        return this.$create.apply(this, args);
      } else {
        return this.$update.apply(this, args);
    return resource;

You should phukin add the Authorization header in the response header access-control-origin-expose-headers

Have you managed to solve this problem? I am facing exactly the same situation. Please, share the steps how to fix this (I’m new with AngularJS and web development stuff).
Thank you!