How to Fix CORS Errors in JavaScript
CORS errors and how to fix them on the server and client side.
How to Fix CORS Errors in JavaScript
Common CORS Error
Access to fetch at 'https://api.example.com/data' from origin 'https://myapp.com'
has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header
is present on the requested resource.
Fix 1: Configure Server Headers
Add CORS headers to the server response:
Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Fix 2: Express.js (Node.js)
const cors = require("cors"); app.use(cors({ origin: "https://myapp.com", credentials: true }));
Fix 3: Manual Headers
app.use((req, res, next) => { res.header("Access-Control-Allow-Origin", "*"); res.header("Access-Control-Allow-Methods", "GET, POST, PUT, DELETE"); res.header("Access-Control-Allow-Headers", "Content-Type, Authorization"); if (req.method === "OPTIONS") return res.sendStatus(204); next(); });
Fix 4: Development Proxy
Use a proxy in development (Vite, webpack, Next.js):
// vite.config.js export default { server: { proxy: { "/api": "https://api.example.com" } } };
Fix 5: Do Not Use * with Credentials
Access-Control-Allow-Origin: * does not work with credentials: true. Specify the exact origin instead.
The Takeaway
Fix CORS: configure server headers (Access-Control-Allow-Origin, Methods, Headers), use the cors middleware in Express, handle OPTIONS preflight (return 204), use a proxy in development, and do not use * with credentials.
Configure the server to include CORS headers: Access-Control-Allow-Origin (your origin), Access-Control-Allow-Methods, Access-Control-Allow-Headers. Handle OPTIONS preflight with 204. Use the cors middleware in Express. Use a proxy in development.
No. CORS is enforced by the browser based on server headers. You cannot fix it from the client. The server must include the correct CORS headers. In development, use a proxy to avoid CORS entirely.
app.use((req, res, next) => { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE'); res.header('Access-Control-Allow-Headers', 'Content-Type,Authorization'); if (req.method === 'OPTIONS') return res.sendStatus(204); next(); });
No. When using credentials: true (cookies, Authorization), you must specify the exact origin: Access-Control-Allow-Origin: https://myapp.com. The wildcard * does not work with credentials.
Configure a proxy in your dev server. In Vite: server: { proxy: { '/api': 'https://api.example.com' } }. Requests to /api are proxied to the API server, avoiding CORS (same-origin from the browser's perspective).
Ready to master React completely?
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course to dive deeper with high-quality video tutorials, solve interview questions, and a premium community.
Master React
Want to upskill yourself, crack your next interview, and get your dream job? Join our comprehensive course.

