CORS Preflight Errors — Access-Control-Allow-Origin Troubleshooting Guide

Overview

Complete guide to fixing CORS preflight request failures including Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers errors.

Key Details

• CORS (Cross-Origin Resource Sharing) preflight uses an OPTIONS request before the actual request
• Preflight is triggered by non-simple requests: custom headers, PUT/DELETE methods, or non-standard Content-Type
• The server must respond to OPTIONS with appropriate Access-Control-Allow-* headers
• A failed preflight blocks the actual request entirely — no data is sent or received
• CORS is enforced by browsers only — server-to-server requests are not affected

Common Causes

• Server not handling OPTIONS requests or returning incorrect Access-Control headers
• Access-Control-Allow-Origin missing or not matching the requesting origin
• Required custom headers not listed in Access-Control-Allow-Headers
• Access-Control-Allow-Methods not including the HTTP method being used (PUT, DELETE, PATCH)
• Credentials mode enabled but Access-Control-Allow-Origin set to wildcard (*)

Steps

1. 1Check the browser console for the specific CORS error message — it tells you exactly what is missing
2. 2On the server, add Access-Control-Allow-Origin with the specific origin or * for public APIs
3. 3Add Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS to the server response
4. 4Add Access-Control-Allow-Headers listing all custom headers your client sends
5. 5If using credentials (cookies), set Access-Control-Allow-Credentials: true and use a specific origin (not *)
6. 6Add Access-Control-Max-Age: 86400 to cache preflight results and reduce OPTIONS requests

Tags

Related Items

More in 4xx Client Error

Frequently Asked Questions