No articles found
Try different keywords or browse our categories
Javascript
Featured
Fix: CORS policy: No 'Access-Control-Allow-Origin' Error in Node & Javascript
Learn how to fix the 'CORS policy: No Access-Control-Allow-Origin' error in JavaScript and Node.js applications. This comprehensive guide covers CORS configuration, headers, and best practices.
By Gautam Sharma
January 2, 2026
13 min read
JavaScript CORS Node.js Error Frontend Backend Security
The ‘CORS policy: No Access-Control-Allow-Origin’ error is a common web security issue that occurs when a web application tries to make requests to a different domain, protocol, or port than the one serving the application. This error is part of the browser’s same-origin policy, which prevents malicious websites from making unauthorized requests to other domains.
This comprehensive guide explains what causes this error, why it happens, and provides multiple solutions to fix it in your JavaScript and Node.js projects with clean code examples and directory structure.
What is the CORS Error?
The “CORS policy: No Access-Control-Allow-Origin” error occurs when:
- A web page tries to make a request to a different domain
- The server doesn’t include proper CORS headers
- Cross-origin requests are blocked by the browser
- API endpoints don’t allow cross-origin requests
- Development servers don’t have CORS configured
Common Error Messages:
Access to fetch at 'url' from origin 'origin' has been blocked by CORS policyNo 'Access-Control-Allow-Origin' header is present on the requested resourceCORS policy: Response to preflight request doesn't pass access control checkThe value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'
Understanding the Problem
CORS (Cross-Origin Resource Sharing) is a security feature implemented by browsers to prevent malicious websites from making unauthorized requests to other domains. It works by requiring servers to explicitly allow cross-origin requests through specific HTTP headers.
Typical JavaScript/Node.js Project Structure:
my-api-app/
├── package.json
├── server.js
├── src/
│ ├── client/
│ │ ├── index.html
│ │ ├── app.js
│ │ └── api.js
│ ├── server/
│ │ ├── routes/
│ │ │ └── api.js
│ │ ├── middleware/
│ │ │ └── cors.js
│ │ └── controllers/
│ │ └── userController.js
│ └── utils/
├── public/
└── config/Solution 1: Configure CORS in Express.js
The most common solution for Node.js/Express applications is to configure CORS middleware.
❌ Without CORS Configuration:
// server.js - ❌ No CORS configuration
const express = require('express');
const app = express();
app.get('/api/data', (req, res) => {
res.json({ message: 'Hello from API' });
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});
// ❌ This will cause CORS error when accessed from different origin✅ With CORS Configuration:
server.js:
// server.js
const express = require('express');
const cors = require('cors');
const app = express();
// ✅ Configure CORS middleware
app.use(cors({
origin: ['http://localhost:3000', 'http://localhost:8080'], // ✅ Allow specific origins
credentials: true, // ✅ Allow credentials
optionsSuccessStatus: 200 // ✅ Some legacy browsers choke on 204
}));
// ✅ Or use default CORS (allows all origins - use carefully in production)
// app.use(cors());
app.get('/api/data', (req, res) => {
res.json({ message: 'Hello from API' });
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});package.json:
{
"name": "my-api-app",
"version": "1.0.0",
"scripts": {
"start": "node server.js",
"dev": "nodemon server.js"
},
"dependencies": {
"express": "^4.18.0",
"cors": "^2.8.5"
},
"devDependencies": {
"nodemon": "^2.0.0"
}
}Solution 2: Custom CORS Middleware
Create custom CORS middleware for more control.
middleware/cors.js:
// ✅ Custom CORS middleware
const cors = (req, res, next) => {
// ✅ Allow specific origins
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:8080',
'https://yourdomain.com'
];
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
} else {
res.setHeader('Access-Control-Allow-Origin', 'http://localhost:3000'); // ✅ Default for development
}
// ✅ Allow specific headers
res.setHeader('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
// ✅ Allow specific methods
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
// ✅ Allow credentials
res.setHeader('Access-Control-Allow-Credentials', 'true');
// ✅ Handle preflight requests
if (req.method === 'OPTIONS') {
res.sendStatus(200);
return;
}
next();
};
module.exports = cors;server.js:
const express = require('express');
const cors = require('./middleware/cors'); // ✅ Use custom CORS middleware
const app = express();
app.use(cors); // ✅ Apply custom CORS middleware
app.get('/api/data', (req, res) => {
res.json({ message: 'Hello from API with custom CORS' });
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});Solution 3: Configure CORS for Specific Routes
Apply CORS configuration to specific routes or route groups.
routes/api.js:
const express = require('express');
const router = express.Router();
const cors = require('cors');
// ✅ Different CORS configuration for different routes
const apiCorsOptions = {
origin: ['http://localhost:3000', 'https://yourdomain.com'],
credentials: true,
allowedHeaders: ['Content-Type', 'Authorization']
};
// ✅ Apply CORS to specific routes
router.get('/public', cors(), (req, res) => {
res.json({ message: 'Public data - no auth required' });
});
router.get('/private', cors(apiCorsOptions), (req, res) => {
res.json({ message: 'Private data - auth required' });
});
// ✅ Handle preflight requests
router.options('*', cors(apiCorsOptions));
module.exports = router;server.js:
const express = require('express');
const apiRoutes = require('./routes/api');
const app = express();
app.use('/api', apiRoutes); // ✅ Apply routes with specific CORS
app.listen(3000, () => {
console.log('Server running on port 3000');
});Solution 4: Handle Preflight Requests Manually
Manually handle OPTIONS requests for more control.
server.js:
const express = require('express');
const app = express();
// ✅ Manual CORS preflight handling
app.use((req, res, next) => {
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:8080',
'https://yourdomain.com'
];
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
}
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
res.setHeader('Access-Control-Allow-Credentials', 'true');
// ✅ Handle preflight requests
if (req.method === 'OPTIONS') {
res.sendStatus(200);
return;
}
next();
});
app.get('/api/data', (req, res) => {
res.json({ message: 'Hello from API' });
});
app.listen(3000, () => {
console.log('Server running on port 3000');
});Solution 5: Use Environment-Specific CORS
Configure CORS differently for development and production.
config/cors.js:
// ✅ Environment-specific CORS configuration
const corsOptions = {
development: {
origin: [
'http://localhost:3000',
'http://localhost:8080',
'http://127.0.0.1:3000',
'http://127.0.0.1:8080'
],
credentials: true
},
production: {
origin: [
'https://yourdomain.com',
'https://www.yourdomain.com'
],
credentials: true
}
};
module.exports = corsOptions[process.env.NODE_ENV || 'development'];server.js:
const express = require('express');
const cors = require('cors');
const corsOptions = require('./config/cors'); // ✅ Environment-specific CORS
const app = express();
app.use(cors(corsOptions)); // ✅ Apply environment-specific CORS
app.get('/api/data', (req, res) => {
res.json({ message: 'Hello from API' });
});
app.listen(process.env.PORT || 3000, () => {
console.log(`Server running on port ${process.env.PORT || 3000}`);
});Solution 6: Client-Side CORS Workarounds
Handle CORS issues from the client side when possible.
src/client/api.js:
// ✅ Client-side API helper with CORS considerations
class APIClient {
constructor(baseURL) {
this.baseURL = baseURL;
}
// ✅ Use credentials for same-origin requests
async request(endpoint, options = {}) {
const url = `${this.baseURL}${endpoint}`;
const config = {
...options,
headers: {
'Content-Type': 'application/json',
...options.headers
},
credentials: 'include' // ✅ Include credentials
};
try {
const response = await fetch(url, config);
if (!response.ok) {
throw new Error(`HTTP error! status: ${response.status}`);
}
return await response.json();
} catch (error) {
console.error('API request failed:', error);
throw error;
}
}
// ✅ GET request
async get(endpoint) {
return this.request(endpoint, { method: 'GET' });
}
// ✅ POST request
async post(endpoint, data) {
return this.request(endpoint, {
method: 'POST',
body: JSON.stringify(data)
});
}
}
// ✅ Usage
const api = new APIClient('http://localhost:3000/api');Solution 7: Use Proxy for Development
Configure a proxy to avoid CORS during development.
package.json (for Create React App):
{
"name": "my-react-app",
"version": "1.0.0",
"scripts": {
"start": "react-scripts start",
"build": "react-scripts build"
},
"proxy": "http://localhost:3000", // ✅ Proxy API requests
"dependencies": {
"react": "^18.0.0",
"react-dom": "^18.0.0"
}
}vite.config.js (for Vite):
import { defineConfig } from 'vite'
import react from '@vitejs/plugin-react'
export default defineConfig({
plugins: [react()],
server: {
proxy: {
'/api': {
target: 'http://localhost:3000', // ✅ Proxy API requests
changeOrigin: true,
secure: false,
}
}
}
})Working Code Examples
Complete Express.js Server with CORS:
// server.js
const express = require('express');
const cors = require('cors');
const path = require('path');
const app = express();
// ✅ CORS configuration
const corsOptions = {
origin: function (origin, callback) {
// ✅ Allow requests with no origin (like mobile apps or curl requests)
if (!origin) return callback(null, true);
const allowedOrigins = [
'http://localhost:3000',
'http://localhost:8080',
'https://yourdomain.com',
'https://www.yourdomain.com'
];
if (allowedOrigins.includes(origin)) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
},
credentials: true,
optionsSuccessStatus: 200
};
app.use(cors(corsOptions));
// ✅ Middleware
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
// ✅ API routes
app.get('/api/hello', (req, res) => {
res.json({ message: 'Hello from API!' });
});
app.post('/api/data', (req, res) => {
const { name, email } = req.body;
res.json({
message: 'Data received successfully',
received: { name, email }
});
});
// ✅ Serve static files
app.use(express.static(path.join(__dirname, 'public')));
// ✅ Handle preflight requests
app.options('*', cors(corsOptions));
const PORT = process.env.PORT || 3000;
app.listen(PORT, () => {
console.log(`Server running on port ${PORT}`);
});Client-Side JavaScript:
// src/client/app.js
class App {
constructor() {
this.apiBase = 'http://localhost:3000/api';
this.init();
}
async init() {
try {
await this.loadData();
this.setupEventListeners();
} catch (error) {
console.error('Failed to initialize app:', error);
}
}
async loadData() {
try {
const response = await fetch(`${this.apiBase}/hello`);
const data = await response.json();
console.log('API Response:', data);
// ✅ Update UI with data
document.getElementById('message').textContent = data.message;
} catch (error) {
console.error('Failed to load data:', error);
}
}
async submitForm(event) {
event.preventDefault();
const name = document.getElementById('name').value;
const email = document.getElementById('email').value;
try {
const response = await fetch(`${this.apiBase}/data`, {
method: 'POST',
headers: {
'Content-Type': 'application/json',
},
body: JSON.stringify({ name, email })
});
const result = await response.json();
console.log('Submit result:', result);
// ✅ Show success message
document.getElementById('result').textContent = result.message;
} catch (error) {
console.error('Failed to submit form:', error);
}
}
setupEventListeners() {
const form = document.getElementById('dataForm');
if (form) {
form.addEventListener('submit', this.submitForm.bind(this));
}
}
}
// ✅ Initialize app when DOM is loaded
document.addEventListener('DOMContentLoaded', () => {
new App();
});HTML File:
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>CORS Example</title>
</head>
<body>
<div id="app">
<h1>CORS Example</h1>
<p id="message">Loading...</p>
<form id="dataForm">
<div>
<label for="name">Name:</label>
<input type="text" id="name" required>
</div>
<div>
<label for="email">Email:</label>
<input type="email" id="email" required>
</div>
<button type="submit">Submit</button>
</form>
<div id="result"></div>
</div>
<script src="app.js"></script>
</body>
</html>Best Practices for CORS
1. Be Specific with Origins
// ✅ Specify exact origins instead of using wildcard
const corsOptions = {
origin: ['https://yourdomain.com', 'https://www.yourdomain.com'] // ✅ Specific origins
// ❌ Don't use: origin: '*' in production
};2. Use Environment Variables
// ✅ Use environment variables for CORS configuration
const allowedOrigins = process.env.NODE_ENV === 'production'
? ['https://yourdomain.com']
: ['http://localhost:3000', 'http://localhost:8080'];3. Handle Credentials Carefully
// ✅ Be careful with credentials in CORS
const corsOptions = {
origin: 'https://yourdomain.com',
credentials: true // ✅ Only when necessary
};4. Validate Requests
// ✅ Validate CORS requests properly
const corsOptions = {
origin: function (origin, callback) {
if (whitelist.includes(origin) || !origin) {
callback(null, true);
} else {
callback(new Error('Not allowed by CORS'));
}
}
};Debugging Steps
Step 1: Check Browser Console
# Open browser dev tools
# Check Console tab for CORS errors
# Look for "Access-Control-Allow-Origin" messagesStep 2: Verify Server Headers
# Check server response headers
curl -I http://localhost:3000/api/data
# Look for Access-Control-Allow-Origin headerStep 3: Test with Different Origins
# Test from different origins to verify CORS configuration
# Use browser extensions or tools to simulate different originsStep 4: Check Preflight Requests
# Test preflight requests manually
curl -X OPTIONS \
-H "Origin: http://localhost:3000" \
-H "Access-Control-Request-Method: POST" \
-H "Access-Control-Request-Headers: X-Requested-With" \
http://localhost:3000/api/dataCommon Mistakes to Avoid
1. Using Wildcard in Production
// ❌ Don't use wildcard origin in production
const corsOptions = {
origin: '*' // ❌ Security risk in production
};2. Forgetting Credentials Configuration
// ❌ Don't forget credentials when needed
app.use(cors({
origin: 'https://yourdomain.com'
// ❌ Missing credentials: true
}));3. Not Handling Preflight Requests
// ❌ Don't forget to handle OPTIONS requests
app.get('/api/data', (req, res) => {
// ❌ Won't handle preflight requests
});4. Inconsistent Origin Configuration
// ❌ Don't have inconsistent origin configurations
app.use(cors({ origin: 'http://localhost:3000' }));
app.get('/api/special', cors({ origin: 'http://localhost:8080' }), handler); // ❌ Different originPerformance Considerations
1. Cache CORS Responses
// ✅ Cache CORS preflight responses
app.use((req, res, next) => {
res.setHeader('Access-Control-Max-Age', '86400'); // ✅ Cache for 24 hours
next();
});2. Optimize CORS Headers
// ✅ Only include necessary CORS headers
// Don't include unnecessary headers that increase response sizeSecurity Considerations
1. Validate Origins Properly
// ✅ Properly validate origins
const corsOptions = {
origin: function (origin, callback) {
const allowed = [
'https://yourdomain.com',
'https://www.yourdomain.com'
];
callback(null, allowed.includes(origin));
}
};2. Limit Allowed Methods
// ✅ Only allow necessary HTTP methods
const corsOptions = {
methods: ['GET', 'POST', 'PUT', 'DELETE'] // ✅ Only necessary methods
};3. Secure Headers
// ✅ Only allow necessary headers
const corsOptions = {
allowedHeaders: ['Content-Type', 'Authorization'] // ✅ Only necessary headers
};Testing CORS Configuration
1. Unit Test CORS Middleware
// Using Jest or similar testing framework
const request = require('supertest');
const app = require('../server');
describe('CORS', () => {
test('should allow requests from allowed origins', async () => {
const response = await request(app)
.get('/api/data')
.set('Origin', 'http://localhost:3000');
expect(response.headers['access-control-allow-origin']).toBe('http://localhost:3000');
});
test('should not allow requests from disallowed origins', async () => {
const response = await request(app)
.get('/api/data')
.set('Origin', 'http://malicious-site.com');
expect(response.status).toBe(403); // Forbidden
});
});2. Test Preflight Requests
test('should handle preflight requests', async () => {
const response = await request(app)
.options('/api/data')
.set('Origin', 'http://localhost:3000')
.set('Access-Control-Request-Method', 'POST')
.set('Access-Control-Request-Headers', 'Content-Type');
expect(response.status).toBe(200);
expect(response.headers['access-control-allow-origin']).toBe('http://localhost:3000');
});Alternative Solutions
1. Use JSONP (Legacy Solution)
// ❌ JSONP is legacy and has security implications
// Only use if CORS is not possible2. Server-Side Proxy
// ✅ Server-side proxy to avoid CORS
app.get('/api/proxy', async (req, res) => {
const externalResponse = await fetch('https://external-api.com/data');
const data = await externalResponse.json();
res.json(data);
});3. Use a CORS Proxy Service
// ❌ Not recommended for production
// Only for development/testing
const proxyUrl = 'https://cors-anywhere.herokuapp.com/';
const apiUrl = 'https://external-api.com/data';
fetch(proxyUrl + apiUrl);Migration Checklist
- Configure CORS middleware in your server
- Specify allowed origins properly
- Handle preflight requests
- Test CORS configuration thoroughly
- Validate CORS settings in production
- Update documentation for team members
- Run security audits on CORS configuration
Conclusion
The ‘CORS policy: No Access-Control-Allow-Origin’ error is a security feature that prevents unauthorized cross-origin requests. By following the solutions provided in this guide—whether through proper CORS middleware configuration, custom CORS handling, or development proxies—you can ensure your JavaScript and Node.js applications handle cross-origin requests securely and effectively.
The key is to understand that CORS is a security feature, not a bug, and to configure it properly based on your application’s needs. With proper CORS configuration, your applications will work seamlessly across different domains while maintaining security best practices.
Remember to be specific with allowed origins, handle preflight requests properly, validate your CORS configuration thoroughly, and follow security best practices to ensure your applications are both functional and secure.
Related Articles
Javascript
[SOLVED] Cannot use import statement outside a module Error in JavaScript
Learn how to fix the 'Cannot use import statement outside a module' error in JavaScript applications. This comprehensive guide covers ES6 modules, Node.js, and browser compatibility.
January 2, 2026
Javascript
Fix: document is not defined error in JavaScript
Learn how to fix the 'document is not defined' error in JavaScript applications. This comprehensive guide covers server-side rendering, Node.js, and browser compatibility.
January 2, 2026
Javascript
[FIXED]: localStorage is not defined error in JavaScript
Learn how to fix the 'localStorage is not defined' error in JavaScript applications. This comprehensive guide covers server-side rendering, Node.js, and browser compatibility.
January 2, 2026