HttpFixer โ†’ Errors โ†’ Blocked by CORS Policy
CORS Error

Access to fetch has been blocked by CORS policy

Last updated: April 2026

Browser Console Error
Access to fetch at 'https://api.yoursite.com/data' from origin 'https://yourapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This error means your browser sent a cross-origin request and the server did not include the Access-Control-Allow-Origin header in the response. The browser blocks the response to protect users. This is a server-side configuration issue โ€” the fix goes on the server, not in the browser or frontend code.

Test your CORS config live โ†’

Fix for Nginx

location /api/ {
    add_header Access-Control-Allow-Origin "https://yourapp.com" always;
    add_header Access-Control-Allow-Methods "GET, POST, OPTIONS" always;
    add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;

    if ($request_method = OPTIONS) {
        add_header Access-Control-Allow-Origin "https://yourapp.com";
        add_header Access-Control-Allow-Methods "GET, POST, OPTIONS";
        add_header Access-Control-Allow-Headers "Content-Type, Authorization";
        return 204;
    }

    proxy_pass http://backend;
}

Fix for Express

const cors = require('cors');

app.use(cors({
  origin: 'https://yourapp.com',
  credentials: true,
}));

Fix for FastAPI

from fastapi.middleware.cors import CORSMiddleware

app.add_middleware(
    CORSMiddleware,
    allow_origins=["https://yourapp.com"],
    allow_credentials=True,
    allow_methods=["*"],
    allow_headers=["*"],
)

Fix for Cloudflare Workers

const corsHeaders = {
  'Access-Control-Allow-Origin': 'https://yourapp.com',
  'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
  'Access-Control-Allow-Headers': 'Content-Type',
};

if (request.method === 'OPTIONS') {
  return new Response(null, { headers: corsHeaders });
}

Common causes

Missing CORS middleware โ€” the server has no CORS configuration at all. Add the appropriate middleware for your framework.

CORS middleware mounted after routes โ€” in Express, cors() must be mounted before route handlers. In FastAPI, add_middleware() must be called before defining routes.

Wrong origin in allow list โ€” the origin in the request does not match any entry in your allowed origins list. Check for trailing slashes, HTTP vs HTTPS, and port mismatches.

Preflight OPTIONS not handled โ€” POST requests with JSON bodies trigger a preflight. If your server does not respond to OPTIONS, the actual request never fires.

CDN or proxy stripping headers โ€” a Cloudflare or load balancer rule may be removing CORS headers from the response before they reach the browser.

Why curl works but browser fails

curl does not enforce CORS. CORS is a browser security policy. The server returns data to both curl and the browser, but the browser refuses to expose the response to JavaScript when CORS headers are missing. The fix is always server-side.

Related: Test CORS live with CORSFixer Nginx CORS fix FastAPI CORS fix Express CORS fix What is CORS?
📚 HttpFixer Blog โ€” fix guides, explainers, and references โ†’