CORS Policy Blocked Request
Learn how to fix 'CORS policy: No Access-Control-Allow-Origin header' errors. Understand how CORS works and how to configure it correctly.
What Does This Error Mean?
The CORS (Cross-Origin Resource Sharing) policy error occurs when a web application tries to make a request to a different origin (domain, protocol, or port) than the one that served the page, and the server does not include the required CORS headers in its response.
Common Causes
Server does not include Access-Control-Allow-Origin header
Preflight OPTIONS request is not handled by the server
Request includes custom headers that need explicit CORS permissions
Credentials mode is set to 'include' but server uses wildcard origin (*)
Frontend and backend are on different ports or domains
Browser blocks the request after preflight fails
How to Fix It
Configure server CORS headers
Add the Access-Control-Allow-Origin header to your server responses.
// Express.js CORS configuration
app.use((req, res, next) => {
res.header("Access-Control-Allow-Origin", "https://yourfrontend.com")
res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE")
res.header("Access-Control-Allow-Headers", "Content-Type, Authorization")
if (req.method === "OPTIONS") return res.sendStatus(200)
next()
})
// Or use the cors package
const cors = require("cors")
app.use(cors({ origin: "https://yourfrontend.com" }))Use a proxy in development
Configure your dev server to proxy API requests to avoid CORS during development.
// Next.js rewrites in next.config.js
module.exports = {
async rewrites() {
return [
{ source: "/api/:path*", destination: "https://api.example.com/:path*" },
]
}
}
// Vite proxy config
// vite.config.js
export default {
server: { proxy: { "/api": "https://api.example.com" } }
}Handle preflight correctly
Ensure your server responds to OPTIONS requests with the correct CORS headers.
// Nginx CORS config
location /api/ {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "https://frontend.com";
add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization, Content-Type";
add_header Access-Control-Max-Age 86400;
return 204;
}
}Before & After Examples
❌ No CORS headers
fetch("https://api.other.com/data")
// Access to fetch at "https://api.other.com/data"
// from origin "https://myapp.com" has been blocked by CORS policy✅ Server includes:
Access-Control-Allow-Origin: https://myapp.com
fetch("https://api.other.com/data") // Works!Related Tools
Use these tools to debug and fix this error:
Related Guides
Deepen your understanding with these guides and tutorials:
Related Errors
Other common errors in this category:
401 Unauthorized Error
Learn what a 401 Unauthorized error means, common causes, and how to fix authentication failures in your web applications.
403 Forbidden Error
Learn what 403 Forbidden means, how it differs from 401, and how to fix access denied errors in your applications.
404 Not Found Error
Learn what 404 Not Found means, common causes, and how to fix broken links and missing resources on your website or API.
429 Too Many Requests Error
Learn what 429 Too Many Requests means, how rate limiting works, and how to handle or avoid hitting API rate limits.
Frequently Asked Questions
Can I disable CORS in my browser for development?
Yes, you can use browser extensions or launch the browser with disabled web security (`--disable-web-security`), but this is for development only. Production code must handle CORS properly.
Does CORS block the request or just the response?
CORS blocks the response, not the request. The browser sends the request normally, but if the response lacks CORS headers, the browser prevents JavaScript from reading the response.