Fixing CORS Errors

What a CORS error actually means and how to fix it — on the server, where it belongs.

~1 min read updated Jul 17, 2026 Troubleshooting
  • #cors
  • #http
  • #apis
  • #debugging

Access to fetch at '...' has been blocked by CORS policy.

The error every web developer meets. The good news: it almost always means your code is working — the browser is enforcing a server's rules.

What's actually happening

CORS is enforced by the browser, not your code. When your page on site.com calls an API on api.other.com, the browser asks that API whether site.com is allowed. If the response doesn't say yes, the browser blocks it.

The fix is on the server

The API must send an Access-Control-Allow-Origin header naming your origin. You cannot fix this from the frontend.

import cors from 'cors'
app.use(cors({ origin: 'https://site.com' }))

Preflight requests

For anything beyond a simple GET/POST, the browser first sends an OPTIONS "preflight" request. If your server doesn't answer OPTIONS, the real request never happens.

Access-Control-Allow-Origin: * works but allows every site to call your API. Fine for a truly public, read-only endpoint — never for anything authenticated.

When you don't control the API

If it's a third-party API with no CORS support, proxy it through your own backend. The browser only enforces CORS on requests it makes — server-to-server calls are unaffected.

Related notes