Skip to content

How to Fix CORS Preflight Request Failed Error

DodaTech Updated 2026-06-24 3 min read

In this tutorial, you'll learn about How to Fix CORS Preflight Request Failed Error. We cover key concepts, practical examples, and best practices to help you understand and apply this topic effectively.

The Problem

Your browser-based API client shows:

Access to fetch at 'https://api.example.com/data' from origin 'https://app.com'
has been blocked by CORS policy: Response to preflight request doesn't pass
access control check: No 'Access-Control-Allow-Origin' header is present.

The browser sent an OPTIONS preflight request to check CORS permissions, and the server did not respond with the required CORS headers.

Quick Fix

1. Enable CORS on the server

// Express.js — use the cors middleware
const cors = require('cors')

// Wrong — no CORS configuration
app.use(cors())  // allows all origins

// Right — restrict to your frontend origin
app.use(cors({
  origin: 'https://app.com',
  methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true
}))

2. Handle OPTIONS preflight requests

The server must handle the OPTIONS method:

// Express.js — cors middleware handles this automatically
// If using a framework without CORS support, handle it manually:
app.options('/api/*', (req, res) => {
  res.header('Access-Control-Allow-Origin', 'https://app.com')
  res.header('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE')
  res.header('Access-Control-Allow-Headers', 'Content-Type, Authorization')
  res.sendStatus(204)
})

3. Check for credentials

If you send cookies or auth headers, the server must allow credentials:

// Client — sending credentials
fetch('https://api.example.com/data', {
  credentials: 'include',  // sends cookies
  headers: {
    'Authorization': 'Bearer token'
  }
})
// Server — must allow credentials AND specific origin
app.use(cors({
  origin: 'https://app.com',  // cannot be '*' with credentials
  credentials: true
}))

4. Fix Nginx CORS configuration

location /api/ {
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' 'https://app.com';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization';
        add_header 'Access-Control-Max-Age' 86400;
        return 204;
    }
    proxy_pass http://backend:3000;
}

5. Check the request triggers preflight

Simple requests (GET, HEAD, POST with certain content types) do not trigger preflight:

// Simple request — no preflight
fetch('/api/data')

// Request that triggers preflight:
// - Custom headers
fetch('/api/data', { headers: { 'X-Custom-Header': 'value' } })
// - Non-simple content type
fetch('/api/data', {
  method: 'POST',
  headers: { 'Content-Type': 'application/json' }
})
// - With credentials
fetch('/api/data', { credentials: 'include' })

6. Use a proxy in development

Bypass CORS during development:

// Vite config
export default defineConfig({
  server: {
    proxy: {
      '/api': 'http://localhost:3000'
    }
  }
})

Prevention

  • Configure CORS properly on the API server — do not use * in production.
  • Test CORS with curl using -H "Origin: https://app.com" -X OPTIONS.
  • Use environment-specific CORS origins.
  • Keep CORS configuration in a single, well-documented place.
  • Use a proxy for development to avoid CORS issues entirely.

Common Mistakes with cors preflight

  1. Placing the wildcard pattern first in case expressions, making all subsequent patterns unreachable
  2. Using head and tail instead of pattern matching, causing runtime errors on empty lists
  3. Forgetting that lazy evaluation defers computation until the value is forced, causing space leaks with unevaluated thunks

These mistakes appear frequently in real-world API code. DodaTech's contributors have identified these patterns through analysis of open-source projects and production systems.

Practice Exercise

Write a pure function that safely divides two integers using Maybe, then test it with edge cases like division by zero and negative numbers.

This exercise reinforces the concepts covered in this guide. Try implementing it before checking online solutions.

FAQ

### What triggers a CORS preflight request?

A preflight occurs when the request uses a method other than GET/HEAD/POST, includes custom headers, has a non-simple Content-Type, or includes credentials (cookies).

Why does curl work but the browser fails?

curl does not enforce CORS policies. The browser is the one that blocks cross-origin requests based on the server's CORS headers. Use curl -H "Origin: https://app.com" -v to test CORS.

Can I use '*' for Access-Control-Allow-Origin?

Only for public APIs that do not require credentials. If you use credentials: 'include' on the client, the server must return a specific origin, not *.

Built by the developers of DodaTech

Doda Browser, DodaZIP & Durga Antivirus Pro