Error fix
How to fix “CORS policy blocked request”
The browser blocked a cross-origin response because required CORS headers were missing or wrong.
Updated Apr 20, 2026
Tools that help with this
Fastest fix
Start here first. Step 1 fixes most cases—then work down the list.
- Return Access-Control-Allow-Origin for trusted origins (avoid * with credentials).
- Handle OPTIONS with 204/200 and matching Allow-* for methods and headers.
- Prefer same-origin BFF or reverse proxy when possible instead of wide-open CORS.
Why this works
These steps work because it removes the most common source of mid-request resets: VPN/proxy interference.
What this means
Browsers enforce the Same-Origin Policy for JavaScript reads. Cross-origin APIs must explicitly allow the requesting origin via Access-Control-* headers.
Common causes
API not configured for browser access
Server omits Access-Control-Allow-Origin or credentials flags mismatch.
Preflight failure
OPTIONS not implemented or wrong Allow-Methods/Allow-Headers.
Step-by-step fix
Fix server headers
- Return Access-Control-Allow-Origin for trusted origins (avoid * with credentials).
- Handle OPTIONS with 204/200 and matching Allow-* for methods and headers.
- Prefer same-origin BFF or reverse proxy when possible instead of wide-open CORS.
Related
FAQ
- Why does curl work but the browser fails?
- curl is not subject to CORS; browsers enforce it for JS fetches.
- Wildcard with credentials?
- Not allowed—echo a specific origin when using cookies or Authorization headers.
- Chrome extension?
- Extensions use different rules; test in a clean profile without extensions.
Fix related issues
Still stuck? Try these related fixes next.
- Docker: no space left on deviceThe daemon or image layers filled the disk—prune images, volumes, or expand the host disk.
- Redis connection refusedRedis isn’t running or you’re pointing at the wrong host/port in this environment.
- Stripe invalid API keyThe key is wrong, revoked, or for a different mode (test vs live).
- SQLite SQLITE_BUSYConcurrent writers or long transactions held the lock—common in dev with hot reload.
- MongoDB server selection timeoutThe driver could not pick a server in time—replica set issues, DNS, or firewall rules.
Edit your error
Tweak the message and run again—we'll match an existing fix or generate a new page.
Original error message
Access to fetch at 'https://api.example.com' from origin 'https://app.example.com' has been blocked by CORS policy