DHIS2 MCP Server

dhis2_diagnose_cors_issues

Diagnose CORS issues in DHIS2 app development by analyzing configuration between your DHIS2 instance and local development environment. Provides specific solutions to resolve cross-origin resource sharing problems.

Instructions

Diagnose and provide solutions for CORS (Cross-Origin Resource Sharing) issues in DHIS2 app development

Input Schema

TableJSON Schema

Name	Required	Description
`dhis2Instance`	Yes	DHIS2 instance URL (e.g., https://play.dhis2.org/2.40.4)
`localDevelopmentUrl`	Yes	Local development URL (e.g., http://localhost:3000)
`browser`	Yes	Browser being used for development
`errorMessage`	No	Specific CORS error message received
`symptoms`	No	Symptoms experienced

Implementation Reference

src/index.ts:1140-1150 (handler)

Handler for the 'dhis2_diagnose_cors_issues' tool call. Receives arguments, passes them to diagnoseCORSIssues function from debugging-helpers, and returns the analysis as text content.

case 'dhis2_diagnose_cors_issues':
  const corsArgs = args as any;
  const corsAnalysis = diagnoseCORSIssues(corsArgs);
  return {
    content: [
      {
        type: 'text',
        text: corsAnalysis,
      },
    ],
  };

src/debugging-helpers.ts:6-149 (helper)

Main implementation logic for diagnosing CORS issues. Analyzes browser, symptoms, DHIS2 instance type, and generates comprehensive markdown report with diagnosis, immediate/long-term solutions, testing commands, and browser checklists.

export function diagnoseCORSIssues(args: any): string {
  const { dhis2Instance, localDevelopmentUrl, browser, errorMessage = '', symptoms = [] } = args;

  const diagnosis = [];
  const solutions = [];

  // Analyze browser-specific issues
  if (browser === 'chrome') {
    diagnosis.push('Chrome has strict SameSite cookie policies since version 94+');
    solutions.push('Use the --proxy flag when starting your DHIS2 app: `yarn start --proxy`');
    solutions.push('Alternative: Start Chrome with disabled security for development: `google-chrome --disable-web-security --user-data-dir=/tmp/chrome-dev`');
  } else if (browser === 'firefox') {
    diagnosis.push('Firefox recently changed SameSite cookie behavior to be more strict');
    solutions.push('Temporarily modify Firefox settings:');
    solutions.push('  1. Open about:config');
    solutions.push('  2. Set `network.cookie.sameSite.laxByDefault` to `false`');
    solutions.push('  3. Set `network.cookie.sameSite.noneRequiresSecure` to `false`');
  }

  // Analyze specific symptoms
  symptoms.forEach((symptom: string) => {
    switch (symptom) {
      case 'login_fails':
        diagnosis.push('Authentication requests are being blocked by CORS policy');
        solutions.push('Add your development URL to DHIS2 CORS allowlist');
        solutions.push('Check if DHIS2 instance supports cross-origin authentication');
        break;
      case 'api_requests_blocked':
        diagnosis.push('API calls are failing due to cross-origin restrictions');
        solutions.push('Configure proxy to route requests through same origin');
        break;
      case 'cookies_not_sent':
        diagnosis.push('Browser is not sending cookies with cross-origin requests');
        solutions.push('Use credentials: "include" in fetch requests');
        solutions.push('Ensure SameSite cookie settings allow cross-origin');
        break;
      case '302_errors':
        diagnosis.push('Login endpoint is redirecting, causing CORS preflight failure');
        solutions.push('Use direct API authentication instead of login forms');
        break;
      case 'preflight_failed':
        diagnosis.push('CORS preflight OPTIONS requests are failing');
        solutions.push('Check DHIS2 server CORS configuration');
        break;
    }
  });

  // DHIS2 Play server specific issues
  if (dhis2Instance.includes('play.dhis2.org')) {
    diagnosis.push('DHIS2 Play instances use nginx with hardened security settings');
    solutions.push('⚠️  DHIS2 Play instances prevent cross-site cookies completely');
    solutions.push('Recommended: Use local DHIS2 instance for development');
    solutions.push('Alternative: Run DHIS2 locally with Docker: `d2 cluster up`');
  }

  return `# CORS Issues Diagnosis

## Configuration Details
- **DHIS2 Instance**: ${dhis2Instance}
- **Local Development**: ${localDevelopmentUrl}
- **Browser**: ${browser.toUpperCase()}
- **Error Message**: ${errorMessage}
- **Symptoms**: ${symptoms.join(', ')}

## Diagnosis
${diagnosis.map(d => `- ${d}`).join('\n')}

## Recommended Solutions

### Immediate Solutions
${solutions.map((s, i) => `${i + 1}. ${s}`).join('\n')}

### Long-term Solutions
1. **Configure CORS Allowlist**
   - Login to your DHIS2 instance as admin
   - Go to Apps → System Settings → Access
   - Add your development URL to "CORS allowlist"

2. **Use Proxy Configuration**
   \`\`\`bash
   # Start with proxy (recommended)
   yarn start --proxy
   \`\`\`

3. **Local Development Instance**
   \`\`\`bash
   # Set up local DHIS2 instance
   npx @dhis2/cli cluster init
   d2 cluster up
   \`\`\`

## Testing CORS Configuration
\`\`\`bash
# Test CORS headers
curl -H "Origin: ${localDevelopmentUrl}" \\
     -H "Access-Control-Request-Method: GET" \\
     -H "Access-Control-Request-Headers: X-Requested-With" \\
     -X OPTIONS \\
     ${dhis2Instance}/api/me

# Expected response should include:
# Access-Control-Allow-Origin: ${localDevelopmentUrl}
# Access-Control-Allow-Credentials: true
\`\`\`

## Browser Dev Tools Checklist
1. Open Network tab and check for:
   - OPTIONS requests (preflight)
   - Response headers with Access-Control-*
   - Cookie header presence in requests

2. Console errors related to:
   - "Cross-Origin Request Blocked"
   - "CORS policy" messages
   - SameSite warnings

## Alternative Development Approaches
${dhis2Instance.includes('play.dhis2.org') ? `
⚠️  Since you're using DHIS2 Play, consider these alternatives:

1. **Local DHIS2 Instance (Recommended)**
   \`\`\`bash
   # Quick setup with Docker
   docker run -d -p 8080:8080 dhis2/core:2.40.4
   \`\`\`

2. **Use DHIS2 CLI Cluster**
   \`\`\`bash
   npx @dhis2/cli cluster init my-cluster
   cd my-cluster
   d2 cluster up
   \`\`\`

3. **Request Dedicated Development Instance**
   - Contact your DHIS2 administrator
   - Request CORS configuration for development URLs
` : ''}

## Security Considerations
⚠️  **Development Only**: Never disable browser security in production
⚠️  **Temporary**: Revert Firefox settings after development
⚠️  **Credentials**: Use separate development credentials
`;
}

src/permission-system.ts:145-145 (registration)
Maps the tool to required permission 'canDebugApplications' in TOOL_PERMISSIONS, used for filtering tools based on user permissions.
```
['dhis2_diagnose_cors_issues', 'canDebugApplications'],
```

Tool Definition Quality

B3.1/5.0

Behavior2/5

Does the description disclose side effects, auth requirements, rate limits, or destructive behavior?

With no annotations provided, the description carries the full burden of behavioral disclosure. It mentions 'diagnose and provide solutions,' implying analysis and recommendations, but doesn't specify whether it performs active testing, modifies configurations, requires specific permissions, or details the output format (e.g., step-by-step fixes, error explanations). This leaves significant gaps for a diagnostic tool.

Agents need to know what a tool does to the world before calling it. Descriptions should go beyond structured annotations to explain consequences.

Conciseness5/5

Is the description appropriately sized, front-loaded, and free of redundancy?

The description is a single, efficient sentence that front-loads the core purpose without unnecessary details. Every word earns its place by specifying the action ('diagnose and provide solutions'), problem ('CORS issues'), and context ('DHIS2 app development'), making it highly concise and well-structured.

Shorter descriptions cost fewer tokens and are easier for agents to parse. Every sentence should earn its place.

Completeness3/5

Given the tool's complexity, does the description cover enough for an agent to succeed on first attempt?

Given the tool's complexity (diagnostic with 5 parameters), no annotations, and no output schema, the description is minimally adequate. It covers the purpose but lacks details on behavioral traits, usage context, and output expectations. For a diagnostic tool, more context on what the tool actually does (e.g., generates reports, suggests config changes) would improve completeness.

Complex tools with many parameters or behaviors need more documentation. Simple tools need less. This dimension scales expectations accordingly.

Parameters3/5

Does the description clarify parameter syntax, constraints, interactions, or defaults beyond what the schema provides?

Schema description coverage is 100%, so the schema fully documents all 5 parameters (e.g., dhis2Instance, localDevelopmentUrl, browser, errorMessage, symptoms). The description doesn't add any parameter-specific context beyond what's in the schema, such as explaining how these inputs influence diagnosis or providing examples of common error messages. Baseline 3 is appropriate when the schema does the heavy lifting.

Input schemas describe structure but not intent. Descriptions should explain non-obvious parameter relationships and valid value ranges.

Purpose4/5

Does the description clearly state what the tool does and how it differs from similar tools?

The description clearly states the tool's purpose: 'Diagnose and provide solutions for CORS issues in DHIS2 app development.' It specifies the verb ('diagnose and provide solutions'), resource ('CORS issues'), and domain context ('DHIS2 app development'). However, it doesn't explicitly differentiate from sibling tools like 'dhis2_configure_cors_allowlist' or 'dhis2_fix_proxy_configuration', which prevents a perfect score.

Agents choose between tools based on descriptions. A clear purpose with a specific verb and resource helps agents select the right tool.

Usage Guidelines2/5

Does the description explain when to use this tool, when not to, or what alternatives exist?

The description provides no guidance on when to use this tool versus alternatives. It doesn't mention prerequisites (e.g., during development vs. production), compare it to sibling tools like 'dhis2_configure_cors_allowlist' for configuration or 'dhis2_fix_proxy_configuration' for proxy-related fixes, or specify scenarios where it's most appropriate (e.g., initial setup vs. debugging).

Agents often have multiple tools that could apply. Explicit usage guidance like "use X instead of Y when Z" prevents misuse.

Install Server

Other Tools

Latest Blog Posts

Tool Definition Quality Score (TDQS)
By punkpeye on April 3, 2026.
mcp
The Hackers Who Tracked My Sleep Cycle
By punkpeye on March 26, 2026.
security
Open Source Has a Bot Problem
By punkpeye on March 19, 2026.
open source

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Dradebo/dhis2-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server