HttpFixer → Errors
HTTP Error Messages
Every error message decoded — what it means, what broke, and the exact fix. No generic advice. Stack-specific config every time.
CORS Cross-Origin Errors
No 'Access-Control-Allow-Origin' header
The most common CORS error. Server isn't returning ACAO header on responses or OPTIONS preflight.
Blocked by CORS policy
Preflight returned the wrong status or headers don't match. Exact fix for Nginx, Express, Cloudflare.
All CORS error messages decoded
Every CORS console error from Chrome, Firefox, and Safari — decoded with exact server-side fix.
Preflight request failed
OPTIONS request returned non-2xx or missing CORS headers. Fix the OPTIONS handler.
Request header field not allowed
Authorization or Content-Type missing from Access-Control-Allow-Headers in preflight response.
CSP Content Security Policy Violations
Refused to load the script
Script blocked by CSP. Source not in script-src allowlist. Get the exact policy update.
Refused to connect — CSP violation
fetch() or XHR blocked by connect-src. API domain missing from CSP connect-src directive.
CSP directive violated
Generic CSP violation message. How to read it, find what's blocked, and add the right source.
Refused to load script (unsafe-inline)
Inline script blocked. Move to nonces or external files. CSP generator builds the policy.
OAuth Auth Errors
invalid_grant
Authorization code expired, already used, or redirect_uri mismatch. Provider-specific fixes.
redirect_uri mismatch
Registered URI doesn't match what the app sends. Trailing slash, port, or scheme difference.
PKCE required
Provider requires PKCE for public clients. Auth0, Okta, Cognito config to enable it.
HTTP Status Code Errors
401 vs 403 — what's the difference
401 = not authenticated. 403 = not authorized. Using the wrong one breaks OAuth clients.
502 Bad Gateway
Upstream server returned invalid response. Check if app is running, check Nginx upstream config.
ERR_TOO_MANY_REDIRECTS
Redirect loop. HTTP→HTTPS redirect conflicting with reverse proxy or CDN settings.
Mixed Content Blocked
HTTPS page loading HTTP resources. upgrade-insecure-requests CSP directive or fix asset URLs.
ERR_BLOCKED_BY_RESPONSE
Cross-origin resource blocked by CORP or other security policy. Exact header to add.
Can't find your error? Run CORSFixer · Scan headers · Diagnose OAuth