Why does my API work in Postman but fail in the browser?

Postman is a developer tool that does not enforce browser security policies including CORS. The browser enforces CORS by blocking responses that lack the correct headers.

What does status 0 mean in the Network tab?

Status 0 means no response was received at all. This is usually a network error, SSL certificate issue, or blocked preflight — not a CORS header problem.

Why does the browser show a CORS error when the server returned 200?

The server processed and responded to the request, but the browser blocked JavaScript from reading the response because CORS headers were missing or incorrect.

CORS

How to Debug CORS Errors in Chrome DevTools

Updated April 2026

 Reading this article? Verify your fix in real-time. Send a live preflight to your API → CORSFixer

The console shows one CORS error. The actual problem could be four different things. DevTools Network tab shows the exact request and response — here is how to read it in 60 seconds.

Step 1 — Open DevTools Network tab before reproducing

Open DevTools (F12) → Network tab → clear the log → reproduce the error. The CORS error will appear in Console, but the Network tab has the detail.

Step 2 — Find the failing request

In Network tab, look for requests with a red warning icon or status 0/CORS. Click on the request. You will see:

Headers tab — request headers (what the browser sent) and response headers (what the server returned)
Preview / Response tab — the response body (if any)

Step 3 — Check the Response Headers

In the Headers tab, scroll to Response Headers. Look for:

What you see	What it means	Fix
No Access-Control-Allow-Origin	Server did not add CORS headers	Add CORS middleware to your server
Access-Control-Allow-Origin: *	Wildcard — works unless you use credentials	Change to explicit origin if using cookies/auth
Access-Control-Allow-Origin: https://wrong.com	Wrong origin in response	Fix server config to match your actual frontend origin
No response at all (status 0)	Network error before CORS check	Check SSL certificate, DNS, server availability

Step 4 — Check for the OPTIONS preflight

If your request uses POST, PUT, DELETE, or custom headers — look for a separate OPTIONS request in the Network tab. It appears just before the actual request.

OPTIONS returns 404 → server does not handle preflight. Add an OPTIONS handler.
OPTIONS returns 200 but no CORS headers → server handles OPTIONS but does not add CORS headers to it.
OPTIONS returns 204 with CORS headers → preflight is correct. Check the actual request headers.

Step 5 — Read the exact Console error message

Each CORS error message tells you exactly what is wrong:

# Missing header entirely
"No 'Access-Control-Allow-Origin' header is present"
→ Server has no CORS config

# Wrong origin
"'Access-Control-Allow-Origin' header has value 'https://other.com'"
→ Server is configured for a different origin

# Credentials + wildcard
"must not be the wildcard '*' when credentials mode is 'include'"
→ Change * to your explicit frontend origin

# Header not in allow list
"Request header field authorization is not allowed"
→ Add Authorization to Access-Control-Allow-Headers on OPTIONS response

# Preflight failed
"Response to preflight request doesn't pass access control check"
→ Your OPTIONS handler is missing or broken

The Postman test

If your API works in Postman but fails in the browser — it is always a CORS issue. Postman does not enforce CORS. The browser does. Your server is responding but not including CORS headers.

Use CORSFixer for a live preflight test

Instead of manually checking headers, CORSFixer sends a real OPTIONS preflight from the browser to your API and shows exactly what was sent and what came back — with a diagnosis of what is wrong.

Send a live preflight to your API → CORSFixer