CORS errors happen when a browser blocks a cross-origin request because the response does not include the headers required for the requesting origin and method.
Common symptoms
- API calls fail only in the browser
- The same endpoint works in direct server tests
- Preflight OPTIONS requests are blocked
Troubleshooting steps
- Identify the exact origin, method, and headers used by the failing request from the browser console.
- Configure the application or server rules to return the appropriate
Access-Control-Allow-Originand related headers. - Avoid using a wildcard origin when credentials are required.
- Make sure preflight
OPTIONSrequests are answered correctly if the request is not simple. - Test again after clearing caches and confirm the headers appear on the final response.
Additional notes
- CORS is enforced by browsers, so server-to-server tests can appear healthy while the browser still blocks the call.
- The correct fix is to return accurate headers, not to disable browser security.
When to contact support
Contact support if you need help identifying where in the stack the headers should be set.