Fix CORS Error on Fly.io

Updated April 2026

Fly.io deploys your Docker container globally. CORS headers come from your application, not from Fly's infrastructure. The fix is in your server code — Fly.toml does not support header injection.

CORS is in your application code

Apply the standard fix for your framework — the Fly.io deployment does not change anything about CORS:

Node.js / Express

const cors = require("cors");
app.use(cors({ origin: process.env.CORS_ORIGIN || "https://yourapp.com" }));

FastAPI / Python

app.add_middleware(CORSMiddleware, allow_origins=[os.getenv("CORS_ORIGIN", "https://yourapp.com")], allow_methods=["*"], allow_headers=["*"],
)

Go / Gin

r.Use(cors.New(cors.Config{ AllowOrigins: []string{os.Getenv("CORS_ORIGIN")}, AllowMethods: []string{"GET", "POST", "PUT", "DELETE", "OPTIONS"},
}))

Set CORS_ORIGIN as a Fly secret

fly secrets set CORS_ORIGIN=https://yourapp.com

fly.toml — HTTP service config

# fly.toml — no header config available, but ensure correct port
[http_service] internal_port = 8080  # must match what your app listens on force_https = true # always enable auto_stop_machines = true auto_start_machines = true

Common Fly.io CORS issue — wrong internal port

# Your app must listen on the same port as internal_port in fly.toml
# If internal_port = 8080 but your app listens on 3000, requests never arrive

# Node.js
const PORT = process.env.PORT || 8080;
app.listen(PORT);

# FastAPI
uvicorn main:app --host 0.0.0.0 --port 8080

Multi-region CORS with Fly

Fly.io can deploy your app in multiple regions. Your CORS configuration works identically in all regions — no region-specific config needed.

Fly.io + separate frontend on Vercel

# In Fly secrets
fly secrets set CORS_ORIGIN=https://yourfrontend.vercel.app

# After setting production URL, update to the custom domain
fly secrets set CORS_ORIGIN=https://yourapp.com