debugMajor
CORS errors only in production — missing preflight handling
Viewed 0 times
CORSpreflightOPTIONSAccess-Control-Allow-Origincredentialsreverse proxy
browsernodejs
Error Messages
Problem
API works fine locally but fails in production with CORS errors. Browser shows Access-Control-Allow-Origin header is missing but the server has CORS headers set.
Solution
Most common cause: the server does not handle OPTIONS preflight requests. Browsers send OPTIONS before POST/PUT/DELETE with custom headers. Check: (1) Does your server respond to OPTIONS with 200 and correct CORS headers? (2) Is a reverse proxy stripping CORS headers? Add headers at the proxy level. (3) Are credentials involved? Allow-Origin: * does not work with credentials: include — specify exact origin. (4) Is the origin scheme matching? http vs https are different origins.
Why
Local dev often uses same-origin or dev servers with permissive CORS. Production introduces different origins, HTTPS, and reverse proxies that affect CORS.
Revisions (0)
No revisions yet.