Does no-cors mode bypass CORS security?

Partially — the browser makes the request but gives you an opaque response. The server's CORS policy still applies to what the server does with the request, but the browser hides the response from your JavaScript.

Why does my fetch with no-cors return status 0?

Status 0 is the indicator for an opaque response. The browser has the real response internally but does not expose it to JavaScript — by design.

Can I use no-cors to call a REST API and get data?

No. Opaque responses return no readable data. To read data from a cross-origin API, you need proper CORS headers on the server or a backend proxy.

CORS

CORS no-cors Mode — What It Does and When to Use It

Updated April 2026

 Reading this article? Verify your fix in real-time. Test your actual CORS config → CORSFixer

mode: 'no-cors' makes the CORS error disappear but leaves you with a response you cannot read. It is not a fix for API calls — it is for fire-and-forget requests. Here is when each mode applies.

The three fetch modes

Mode	CORS check?	Can read response?	Use for
cors (default)	Yes	Yes, if CORS headers correct	API calls you need to read
no-cors	No check	No — opaque response	Fire-and-forget (analytics pings)
same-origin	Fails if cross-origin	Yes	Strictly same-origin requests

What no-cors actually does

// You see this in DevTools Network tab
fetch("https://api.example.com/data", { mode: "no-cors" });

// Result:
// Status: 0
// Type: opaque
// Body: (empty — you cannot read it)
// Headers: (empty — you cannot read them)

The request is made. The server processes it. But the browser gives you an opaque blob that contains nothing readable. You cannot check the status code, read the response body, or see any headers.

When no-cors is correct

// Analytics ping — you only care that the request was sent, not the response
fetch("https://analytics.example.com/track", { method: "POST", mode: "no-cors", body: JSON.stringify({ event: "page_view" }),
});

// Preloading a cross-origin image
fetch("https://cdn.example.com/image.jpg", { mode: "no-cors" });
// This "warms" the CDN cache — you do not need to read the response

When no-cors does NOT fix your problem

// If you need to read the response — no-cors breaks it
const res = await fetch("https://api.example.com/data", { mode: "no-cors" });
const data = await res.json(); // ❌ throws — opaque response has no readable body

// The actual fix: configure CORS headers on the server
// Then use default mode: "cors"
const res = await fetch("https://api.example.com/data"); // default is cors
const data = await res.json(); // ✅ works when server has correct CORS headers

The real fix for API CORS errors

If you are getting a CORS error on an API call and using no-cors to silence it — you now have a broken request that appears to succeed. The actual fix depends on your situation:

You control the API → add CORS headers to the server
Third-party API → call it from your backend (server-to-server, no CORS), then forward to your frontend
Development only → use a CORS proxy or browser dev flag temporarily

The CORS proxy pattern for third-party APIs

// Frontend calls YOUR backend, which calls the third-party API
// No CORS issue because server-to-server requests bypass browser CORS

// Your backend (Express)
app.get("/api/proxy/weather", async (req, res) => { const data = await fetch("https://api.third-party.com/weather", { headers: { "API-Key": process.env.THIRD_PARTY_KEY } }).then(r => r.json()); res.json(data); // Your frontend can read this
});

Test your actual CORS config → CORSFixer