Error Encyclopedia

CORS Preflight Request Failed

Fix CORS preflight (OPTIONS) request failures. Learn how browsers check CORS permissions before making cross-origin requests.

What Does This Error Mean?

The CORS preflight request is an OPTIONS request the browser sends before certain cross-origin requests to check if the server permits the actual request. If the preflight fails, the browser blocks the main request without even sending it.

Common Causes

1

Server does not respond to OPTIONS requests

2

Server response to OPTIONS is missing required CORS headers

3

Access-Control-Allow-Methods does not include the request method

4

Access-Control-Allow-Headers does not include custom headers

5

Access-Control-Max-Age header is missing or too short

6

SSL certificate issues causing OPTIONS request to fail

How to Fix It

Handle OPTIONS requests

Ensure your server responds to OPTIONS requests with the correct headers.

// Express: handle OPTIONS for all routes
app.options("*", (req, res) => {
  res.header("Access-Control-Allow-Origin", "https://frontend.com")
  res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE, PATCH")
  res.header("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With")
  res.header("Access-Control-Max-Age", "86400")
  res.sendStatus(204)
})

Match allowed headers to request headers

List all custom headers your frontend sends in the Access-Control-Allow-Headers response.

// ❌ Preflight fails for custom header
Access-Control-Allow-Headers: Content-Type
// Request includes: X-Custom-Header → blocked!

// ✅ Include all custom headers
Access-Control-Allow-Headers: Content-Type, Authorization, X-Custom-Header

Use the cors middleware

For Node.js, the cors package handles preflight automatically.

const cors = require("cors")
app.use(cors({
  origin: "https://frontend.com",
  methods: ["GET", "POST", "PUT", "DELETE"],
  allowedHeaders: ["Content-Type", "Authorization"],
  maxAge: 86400
}))

Related Tools

Use these tools to debug and fix this error:

REST API Client

Send HTTP requests (GET, POST, PUT, DELETE) and inspect responses from your browser.

curl to Fetch Converter

Convert curl commands to JavaScript fetch, Python requests, and more.

Request Builder

Build HTTP requests interactively and generate code snippets in multiple languages.

Related Guides

Deepen your understanding with these guides and tutorials:

API Basics Guide

Related Errors

Other common errors in this category:

401

401 Unauthorized Error

Learn what a 401 Unauthorized error means, common causes, and how to fix authentication failures in your web applications.

403

403 Forbidden Error

Learn what 403 Forbidden means, how it differs from 401, and how to fix access denied errors in your applications.

404

404 Not Found Error

Learn what 404 Not Found means, common causes, and how to fix broken links and missing resources on your website or API.

429

429 Too Many Requests Error

Learn what 429 Too Many Requests means, how rate limiting works, and how to handle or avoid hitting API rate limits.

Frequently Asked Questions

When does the browser send a preflight request?

Preflight is sent when the request is not a 'simple request' — when it uses a method other than GET/HEAD/POST, includes custom headers, or sets credentials to 'include'.

Can I avoid preflight requests?

Only if your request qualifies as a 'simple request' (GET/POST with basic content types and no custom headers). For most APIs with authorization headers, preflight is unavoidable.

Browse All Error Guides