Facebook Pixel

How to Fix CORS Errors in JavaScript

CORS errors and how to fix them on the server and client side.

How to Fix CORS Errors in JavaScript

Common CORS Error

Access to fetch at 'https://api.example.com/data' from origin 'https://myapp.com'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header
is present on the requested resource.

Fix 1: Configure Server Headers

Add CORS headers to the server response:

Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization

Fix 2: Express.js (Node.js)

const cors = require("cors"); app.use(cors({ origin: "https://myapp.com", credentials: true }));

Fix 3: Manual Headers

app.use((req, res, next) => { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); res.header("Access-Control-Allow-Headers", "Content-Type, Authorization"); if (req.method === "OPTIONS") return res.sendStatus(204); next(); });

Fix 4: Development Proxy

Use a proxy in development (Vite, webpack, Next.js):

// vite.config.js export default { server: { proxy: { "/api": "https://api.example.com" } } };

Fix 5: Do Not Use * with Credentials

Access-Control-Allow-Origin: * does not work with credentials: true. Specify the exact origin instead.

The Takeaway

Fix CORS: configure server headers (Access-Control-Allow-Origin, Methods, Headers), use the cors middleware in Express, handle OPTIONS preflight (return 204), use a proxy in development, and do not use * with credentials.

Configure the server to include CORS headers: Access-Control-Allow-Origin (your origin), Access-Control-Allow-Methods, Access-Control-Allow-Headers. Handle OPTIONS preflight with 204. Use the cors middleware in Express. Use a proxy in development.

No. CORS is enforced by the browser based on server headers. You cannot fix it from the client. The server must include the correct CORS headers. In development, use a proxy to avoid CORS entirely.

app.use((req, res, next) => { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE'); res.header('Access-Control-Allow-Headers', 'Content-Type,Authorization'); if (req.method === 'OPTIONS') return res.sendStatus(204); next(); });

No. When using credentials: true (cookies, Authorization), you must specify the exact origin: Access-Control-Allow-Origin: https://myapp.com. The wildcard * does not work with credentials.

Configure a proxy in your dev server. In Vite: server: { proxy: { '/api': 'https://api.example.com' } }. Requests to /api are proxied to the API server, avoiding CORS (same-origin from the browser's perspective).

Ready to master React completely?

Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.

Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.
Please Login.