CORS Preflight Errors — Access-Control-Allow-Origin Troubleshooting Guide

Complete guide to fixing CORS preflight request failures including Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers errors. This guide covers everything you need to know about this topic, including common causes, step-by-step solutions, and answers to frequently asked questions.

Here are the key things to understand: CORS (Cross-Origin Resource Sharing) preflight uses an OPTIONS request before the actual request. Preflight is triggered by non-simple requests: custom headers, PUT/DELETE methods, or non-standard Content-Type. The server must respond to OPTIONS with appropriate Access-Control-Allow-* headers. A failed preflight blocks the actual request entirely — no data is sent or received. CORS is enforced by browsers only — server-to-server requests are not affected. Understanding these fundamentals will help you diagnose and resolve this issue more effectively.

The most common reasons this occurs include: Server not handling OPTIONS requests or returning incorrect Access-Control headers. Access-Control-Allow-Origin missing or not matching the requesting origin. Required custom headers not listed in Access-Control-Allow-Headers. Access-Control-Allow-Methods not including the HTTP method being used (PUT, DELETE, PATCH). Credentials mode enabled but Access-Control-Allow-Origin set to wildcard (*). Identifying the root cause is the first step toward finding the right solution.

To resolve this, follow these recommended steps: Check the browser console for the specific CORS error message — it tells you exactly what is missing. On the server, add Access-Control-Allow-Origin with the specific origin or * for public APIs. Add Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS to the server response. Add Access-Control-Allow-Headers listing all custom headers your client sends. If using credentials (cookies), set Access-Control-Allow-Credentials: true and use a specific origin (not *). Add Access-Control-Max-Age: 86400 to cache preflight results and reduce OPTIONS requests. If these steps do not resolve the issue, consider consulting additional resources or a qualified professional.

This article is part of our HTTP Status Codes collection on Error Codes Wiki. We provide comprehensive, up-to-date information to help you find solutions quickly.