Why does my JavaScript code receive a "No Access-Control-Allow-Origin header is present on the requested resource" error, while Postman does not?
Matthew C.
—You have a frontend app making a request for a resource at a different origin. The URL scheme (HTTP or HTTPS), hostname, and port need to match for two origins to be the same. For example, you are running your frontend and backend apps on local servers with different ports:
http://127.0.0.1:5173
http://127.0.0.1:1337
If you make a POST request to one of your backend APIs from your frontend app, you’ll get the following error:
Access to fetch at 'http://localhost:1337/api from origin 'http://127.0.0.1:5173' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.
Why does this error happen? The same-origin policy is a browser security measure that restricts resource fetching from different origins. It prevents resources, such as API endpoints exposed by a server, from being accessible to a frontend website hosted at a different origin, such as another server. For example, it prevents malicious JavaScript on an attacker’s website from reading data and interacting with an embedded website in an iFrame that loads a website that the user may be logged in to.
To allow resource sharing between a server and a resource at a different origin, the browser uses a mechanism called cross-origin resource sharing (CORS). CORS uses HTTP headers to indicate the origins that a browser should allow resources to be loaded from.
When a request is made, the browser client adds an Origin
header to the request to indicate where the request came from. To allow cross-origin requests to be made, some changes need to be made to the server-side code to add extra headers to the HTTP response sent back to the browser client. These headers start with Access-Control-
. The browser will allow certain cross-origin responses based on these extra headers. The most important of these headers is Access-Control-Allow-Origin
, which specifies the origins that are allowed to access the resources from the server.
Why does requesting a cross-origin resource using Postman work? Postman does not enforce CORS. CORS does not protect a resource, such as an API endpoint, against unwanted access. CORS is implemented by browsers on the client side. It can only block a frontend app from accessing cross-origin resources. It is not a strong security measure: It only restricts access, it does not protect your content. Apps that mimic a server environment and don’t enforce CORS, such as Postman or non-browser HTTP clients such as curl, are not affected by CORS so they bypass CORS restrictions.
A server can protect resources by using an HTTP Authorization
request header. You can also restrict requests to certain IP addresses or block certain IP addresses if needed.
To allow cross-origin requests, add the frontend origin to the Access-Control-Allow-Origin
header. In an Express app, you can install the CORS npm package and add an origin as shown in the code below:
const express = require("express"); const cors = require("cors"); const corsOptions = { origin: "http://127.0.0.1:5173", }; const app = express(); app.use(cors(corsOptions));
Tasty treats for web developers brought to you by Sentry. Get tips and tricks from Wes Bos and Scott Tolinski.
SEE EPISODESConsidered “not bad” by 4 million developers and more than 100,000 organizations worldwide, Sentry provides code-level observability to many of the world’s best-known companies like Disney, Peloton, Cloudflare, Eventbrite, Slack, Supercell, and Rockstar Games. Each month we process billions of exceptions from the most popular products on the internet.
Here’s a quick look at how Sentry handles your personal information (PII).
×We collect PII about people browsing our website, users of the Sentry service, prospective customers, and people who otherwise interact with us.
What if my PII is included in data sent to Sentry by a Sentry customer (e.g., someone using Sentry to monitor their app)? In this case you have to contact the Sentry customer (e.g., the maker of the app). We do not control the data that is sent to us through the Sentry service for the purposes of application monitoring.
Am I included?We may disclose your PII to the following type of recipients:
You may have the following rights related to your PII:
If you have any questions or concerns about your privacy at Sentry, please email us at compliance@sentry.io.
If you are a California resident, see our Supplemental notice.