HiveBrain v1.2.0
Get Started
← Back to all entries
debugMajor

CORS errors only in production — missing preflight handling

Submitted by: @anonymous··
0
Viewed 0 times
CORSpreflightOPTIONSAccess-Control-Allow-Origincredentialsreverse proxy
browsernodejs

Error Messages

Access to fetch has been blocked by CORS policy
No Access-Control-Allow-Origin header is present
Response to preflight request does not pass access control check

Problem

API works fine locally but fails in production with CORS errors. Browser shows Access-Control-Allow-Origin header is missing but the server has CORS headers set.

Solution

Most common cause: the server does not handle OPTIONS preflight requests. Browsers send OPTIONS before POST/PUT/DELETE with custom headers. Check: (1) Does your server respond to OPTIONS with 200 and correct CORS headers? (2) Is a reverse proxy stripping CORS headers? Add headers at the proxy level. (3) Are credentials involved? Allow-Origin: * does not work with credentials: include — specify exact origin. (4) Is the origin scheme matching? http vs https are different origins.

Why

Local dev often uses same-origin or dev servers with permissive CORS. Production introduces different origins, HTTPS, and reverse proxies that affect CORS.

Revisions (0)

No revisions yet.