HttpFixer โ†’ Blog โ†’ Error Pages โ†’ CORS Header Not Allowed โ€” Fix
Error

CORS Header Not Allowed โ€” Fix

Updated April 2026

Reading this article? Verify your fix in real-time. Fix this preflight error now โ€” CORSFixer โ†’
Exact Browser Console Error
Access to fetch at 'https://api.example.com' from origin 'https://app.example.com' has been blocked by CORS policy: Request header field authorization is not allowed by Access-Control-Allow-Headers in preflight response.

Your request includes a custom header (Authorization, Content-Type: application/json, or similar) that your server's OPTIONS preflight response does not allow. Add it to Access-Control-Allow-Headers.

The fix โ€” allow the header in your preflight response

Express

app.use(cors({ origin: 'https://app.example.com', allowedHeaders: ['Content-Type', 'Authorization', 'X-Custom-Header'],
}));

Nginx

if ($request_method = OPTIONS) { add_header Access-Control-Allow-Headers "Authorization, Content-Type, X-Custom-Header"; return 204;
}

FastAPI

app.add_middleware(CORSMiddleware, allow_origins=["https://app.example.com"], allow_headers=["Authorization", "Content-Type"]
)

Allow all headers (development only)

# Not for production โ€” allows any header
add_header Access-Control-Allow-Headers "*";

Use CORSFixer to send a real preflight to your API โ€” it shows the exact headers the browser is requesting and what your server is allowing.

Find the preflight fix for your stack โ†’ CORSFixer
Related: Preflight requests Fix OPTIONS preflight