CORS Error Solutions
When you send an HTTP request with a different domain than your page’s domain (or IP address + port number), a CORS error may occur. A CORS error means that the API server rejected your request. To access other domain API from your web page, the backend server you requested must set some CORS headers in the HTTP response to allow CORS requests. Below are some errors caused by incorrectly set HTTP response headers for CORS requests.
Error: No ‘Access-Control-Allow-Origin’ header is present
Error information in web browser console
Access to XMLHttpRequest at 'http://localhost:8081/api' from origin 'http://localhost' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. |
Solutions
First, check that the URL, Method, and Content-Type you requested are correct.
Make sure the server API is up and running.
Enable CORS requests for your server API. Add Access-Control-Allow-Origin in HTTP response header.
Access-Control-Allow-Origin: * |
For example, in Java web projects.
response.setHeader("Access-Control-Allow-Origin", "*"); |
Reasons
The API is not shared with other origins. You need to update the API CORS policy by set Access-Control-Allow-Origin in response headers.
Error: Method xxx is not allowed
Error information in web browser console
Access to XMLHttpRequest at 'http://localhost:8081/api/delete' from origin 'http://localhost' has been blocked by CORS policy: Method DELETE is not allowed by Access-Control-Allow-Methods in preflight response. |
Solutions
Add Access-Control-Allow-Methods: {method_name_in_error_message} in HTTP response header. Note that method names must be capitalized.
For example, in Java web projects.
response.setHeader("Access-Control-Allow-Methods", "DELETE"); |
Reasons
The default allowed HTTP methods for CORS are GET, POST, and HEAD. For other HTTP methods like DELETE or PUT, you need to add it to HTTP response header Access-Control-Allow-Methods.
Error: Request header field xxx is not allowed
Error information in web browser console
Access to XMLHttpRequest at 'http://localhost:8081/api/delete' from origin 'http://localhost' has been blocked by CORS policy: Request header field my-header1 is not allowed by Access-Control-Allow-Headers in preflight response. |
Access to XMLHttpRequest at 'http://localhost:8081/api/get?name=Jack' from origin 'http://localhost' has been blocked by CORS policy: Request header field content-type is not allowed by Access-Control-Allow-Headers in preflight response. |
Solutions
Add Access-Control-Allow-Headers: {header_field_name_in_error_message} in HTTP response header.
For example, in Java web projects.
response.setHeader("Access-Control-Allow-Headers", "my-header1"); |
Reasons
The default allowed HTTP headers for CORS requests are:
- Accept
- Accept-Language
- Content-Language
- Content-Type (value only be application/x-www-form-urlencoded, multipart/form-data, or text/plain)
- Range
For other HTTP headers, you need to add them to HTTP response header Access-Control-Allow-Headers.
Error: The value of the ‘Access-Control-Allow-Origin’ header in the response must not be the wildcard ‘*’
Error information in web browser console
Access to XMLHttpRequest at 'http://localhost:8081/api/get' from origin 'http://localhost' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Origin' header in the response must not be the wildcard '*' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. |
Solutions
Set the value of Access-Control-Allow-Origin to your page domain instead of * in HTTP response header. And set the value of Access-Control-Allow-Credentials to true.
For example, in Java web projects.
response.setHeader("Access-Control-Allow-Origin", "http://localhost"); |
Reasons
When you send a CORS request with credentials, you must set a specific domain in Access-Control-Allow-Origin.
Request with credentials: withCredentials: true
const xhr = new XMLHttpRequest(); |
$.ajax({ |
Error: The value of the ‘Access-Control-Allow-Credentials’ header in the response is ‘’ which must be ‘true’
Error information in web browser console
Access to XMLHttpRequest at 'http://localhost:8081/api/get' from origin 'http://localhost' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'. The credentials mode of requests initiated by the XMLHttpRequest is controlled by the withCredentials attribute. |
Solutions
Add Access-Control-Allow-Credentials: true in HTTP response header.
For example, in Java web projects.
response.setHeader("Access-Control-Allow-Credentials", "true"); |
Reasons
When the request’s credentials flag is true, the HTTP response header Access-Control-Allow-Credentials should be true.
Conclusion
There are two scenarios for setting CORS headers. The headers you need to set in each case are given below.
1. No credentials
response.setHeader("Access-Control-Allow-Origin", "*"); // You can also set a specific host. |
2. With credentials
response.setHeader("Access-Control-Allow-Origin", "{your_host}"); // If you use a web framework, it may support setting allow-origin patterns. For example, http://localhost:[*], http://192.168.0.*:[*]. |