What causes this error?

See the explanation and causes in the article above.

How do I fix it quickly?

Use HttpFixer — it sends a real request to your API and shows exactly what is missing.

Error

CORS Header Not Allowed — Fix

Exact Browser Console Error

Access to fetch at 'https://api.example.com' from origin 'https://app.example.com' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Your request includes a custom header (Authorization, Content-Type: application/json, or similar) that your server's OPTIONS preflight response does not allow. Add it to Access-Control-Allow-Headers.

The fix — allow the header in your preflight response

Express

app.use(cors({
  origin: 'https://app.example.com',
  allowedHeaders: ['Content-Type', 'Authorization', 'X-Custom-Header'],
}));

Nginx

if ($request_method = OPTIONS) {
    add_header Access-Control-Allow-Headers "Authorization, Content-Type, X-Custom-Header";
    return 204;
}

FastAPI

app.add_middleware(CORSMiddleware,
  allow_origins=["https://app.example.com"],
  allow_headers=["Authorization", "Content-Type"]
)

Allow all headers (development only)

# Not for production — allows any header
add_header Access-Control-Allow-Headers "*";

Use CORSFixer to send a real preflight to your API — it shows the exact headers the browser is requesting and what your server is allowing.

Find the preflight fix for your stack → CORSFixer