Why does Postman work but the browser fails?

Postman is not a browser and does not enforce CORS. Only browsers apply the Same-Origin Policy and CORS checks to cross-origin XHR/fetch.

Is Access-Control-Allow-Origin: * with cookies valid?

No. When credentials are included, the wildcard origin is not allowed. The server must echo a specific allowed origin.

Cross-Origin Resource Sharing (CORS)

The browser mechanism that controls which origins can call your API.

CORS is not enforced by curl or server-to-server calls. It applies when browser JavaScript on origin A reads a response from origin B. The server must opt in with Access-Control-Allow-Origin (and often other Access-Control-* headers). The browser blocks the response body from reaching your JS if the check fails—even when the server returned 200.

Why developers care

Every SPA, Auth redirect flow, and public API hit from a browser crosses this path. Mis-set origins, credentials mode, or missing preflight handlers show up as “CORS error” with no stack trace. Fixing the API response headers (or proxying through same-origin) is the real solution; disabling CORS in the browser is not.

Example

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Allow-Credentials: true
Vary: Origin

Spec

Fetch Living Standard (CORS)

Debug CORS with CORSFixer →