How do I read a CORS error in the browser console and network tab?

Open DevTools and check both panels together. The Console prints the specific reason, such as "No 'Access-Control-Allow-Origin' header is present on the requested resource" or a named reason like CORSMissingAllowOrigin. The Network tab shows the actual exchange: look for a failed OPTIONS row (the preflight) sitting just above the real request, click it, and inspect the response headers. If Access-Control-Allow-Origin is absent or does not match your origin, that is the failure. The request status may show as (failed) or CORS error rather than a normal HTTP code. Reading the preflight response headers tells you exactly which Allow-* header the server omitted.

How do I fix a missing Access-Control-Allow-Origin header on the server?

Add the header to the server response for the route the browser is calling. MDN gives concrete examples: in Apache, Header set Access-Control-Allow-Origin 'https://example.com'; in Nginx, add_header 'Access-Control-Allow-Origin' 'https://example.com' always. Name the exact origin rather than using the wildcard if the request sends credentials. For preflighted requests you also need to handle the OPTIONS method and return Access-Control-Allow-Methods and Access-Control-Allow-Headers that cover what the client sends. If you do not control the server, route the call through a proxy you do control, or restructure it as a simple request to skip preflight.

Why can't I use Access-Control-Allow-Origin: * with credentials like cookies?

When a request includes credentials such as cookies, TLS client certificates, or an Authorization header, the browser forbids the wildcard. The server must return an explicit origin like Access-Control-Allow-Origin: https://example.com and also send Access-Control-Allow-Credentials: true, where true is the only valid case-sensitive value. The combination of a wildcard origin and credentials is rejected because it would expose authenticated, user-specific content to any site on the web, opening a cross-site data leak. To send credentials, the client also has to opt in with fetch credentials set to 'include' or withCredentials true on XMLHttpRequest.

Does a CORS error mean my request never reached the server?

Not usually. For a non-preflighted request, the browser typically sends the request and receives the response, then blocks your JavaScript from reading it because the authorizing header is missing. The side effects may already have happened on the server. For a preflighted request it is different: if the OPTIONS preflight fails, the browser never sends the real request, so nothing executes. To tell which case you are in, check the Network tab. A failed OPTIONS with no following real request means the call was stopped before reaching your handler; a completed real request with a blocked response means it ran but the result was withheld from the page.

CORS Debugging

How to Debug CORS Errors: A Practical Field Guide

Q: Why does my fetch fail with a CORS error even though the API works in Postman or curl?

CORS is enforced only by web browsers, not by command-line tools or API clients. Postman and curl ignore the same-origin policy entirely, so they never check for Access-Control-Allow-Origin. When the browser makes the same call from a web page, it blocks the response because the server did not return the header authorizing your origin. The request often reaches the server and runs successfully; the browser just refuses to expose the response to your JavaScript. The fix lives on the server: it must send an Access-Control-Allow-Origin header naming your origin.

Q: What is a CORS preflight request and when does the browser send one?

A preflight is an automatic OPTIONS request the browser sends before the real request to ask the server which methods and headers it permits. The browser sends it whenever the call is not a simple request: when it uses a method other than GET, HEAD, or POST; when a POST carries a Content-Type outside application/x-www-form-urlencoded, multipart/form-data, or text/plain; or when it sets any header outside the CORS-safelisted set. A JSON body or a custom Authorization header almost always triggers preflight. The server must answer the OPTIONS with the matching Access-Control-Allow-* headers and a success status, or the real request never goes out.

CORS is enforced only by the browser, and most fixes live on the server. Read the failing preflight and the console error together, and the right Access-Control-Allow-* header stops being a guess.

Hrishikesh BaidyaJun 5, 20268 min read

Guides

Isometric line-art of a browser split into a console panel with a red CORS error and a network panel showing a failing OPTIONS preflight linked to the blocked request, in lime on near-black

You wrote a fetch, it works in Postman, and the browser console lights up red: blocked by CORS policy. The reflex is to assume the request failed. It usually did not. Cross-Origin Resource Sharing is a browser-enforced rule, and a CORS error means the response came back but the browser will not hand it to your JavaScript because the server did not say your origin is allowed.

That single reframing changes the whole debugging loop. You stop poking at the client and start reading what the server returned. This guide covers what the error actually means, when the browser inserts a preflight OPTIONS request, how to read the failure across the Console and Network tabs, and the exact server-side header to add for each common misconfiguration. The reference throughout is MDN's CORS documentation, which enumerates the rules and the error strings precisely.

What does a CORS error actually mean?

A CORS error means the browser blocked a cross-origin response because the server did not return the headers authorizing your origin. The request often reached the server and ran; the browser simply withholds the response from your script. CORS is enforced only by browsers, so the same call succeeds in curl or Postman. Most fixes are server-side: send the correct Access-Control-Allow headers.

The same-origin policy is the default: a page at https://app.example.com cannot read a response from https://api.other.com unless that server opts in. CORS is the opt-in mechanism. The server grants access by returning an Access-Control-Allow-Origin header naming the requesting origin (or *). No header, no access. The browser blocks the read and prints a reason in the console.

This is why your API works in Postman and curl but not the browser: command-line clients do not implement the same-origin policy, so they never look for the header. That difference is the single most common source of confusion. The server is fine; the browser is doing its job. MDN states the consequence plainly: most CORS errors can only be resolved on the server, because the server controls whether cross-origin access is allowed.

Simple requests vs. preflighted requests

The browser splits cross-origin requests into two kinds, and knowing which one you are making tells you where to look. A request stays a simple request — no preflight — only when it uses GET, HEAD, or POST and sets nothing outside the CORS-safelisted request headers: Accept, Accept-Language, Content-Language, Content-Type, and Range. Anything else upgrades it to a preflighted request.

The trap most engineers hit is Content-Type. A POST stays simple only when its Content-Type is application/x-www-form-urlencoded, multipart/form-data, or text/plain. The moment you send a JSON body — application/json — the request is downgraded to a preflight. A custom Authorization header does the same thing. So your everyday JSON API call almost always triggers an OPTIONS preflight before the real request goes out.

Feature	Request attribute	Stays simple (no preflight)	Triggers preflight
HTTP method	Verb used	GET, HEAD, POST	PUT, PATCH, DELETE, etc.
Content-Type	Body media type	form-urlencoded, multipart, text/plain	application/json and others
Custom headers	Headers set by code	Only CORS-safelisted	Authorization, X-* custom headers

Two-sided trigger table. If any cell on the right is true, the browser sends an OPTIONS preflight before your request — and that OPTIONS is the row to inspect first.

A preflight is an automatic OPTIONS request the browser sends first, carrying Access-Control-Request-Method and Access-Control-Request-Headers to ask: will you accept this verb and these headers? The server must answer with matching Access-Control-Allow-Methods and Access-Control-Allow-Headers and a success status. If it does, the browser caches that answer for the duration of Access-Control-Max-Age — MDN documents a default of 5 seconds, with each browser enforcing its own internal maximum that overrides larger values — then sends the real request. If the preflight fails, the real request never leaves the browser.

Read it in the console and the network tab

Debug CORS with both DevTools panels open, because each tells you half the story. The Console gives you the reason string. The Network tab gives you the evidence. Chrome prints messages like No 'Access-Control-Allow-Origin' header is present on the requested resource; Firefox prints a named reason from MDN's list — CORSMissingAllowOrigin, CORSNotSupportingCredentials, CORSMethodNotFound, CORSMissingAllowHeaderFromPreflight, and about a dozen more. The reason string is not noise. It maps directly to the missing header.

Then switch to Network. For a preflighted request you will see two rows: a failed OPTIONS sitting just above the real request. Click the OPTIONS row and read its response headers. Is Access-Control-Allow-Origin present? Does it match your origin exactly? Does Access-Control-Allow-Headers include the header you sent? The absent or mismatched header is the bug. The request may show as (failed) or CORS error instead of a normal status code.

Fixes by server, by error

Because the fix is server-side, the work is adding the right header to the response for the route the browser calls. For a missing Access-Control-Allow-Origin, MDN gives the canonical snippets. The wildcard * works only for non-credentialed requests; name the explicit origin when credentials are involved.

cors-fixes.confnginx

# --- Apache: missing Access-Control-Allow-Origin ---
# Header set Access-Control-Allow-Origin "https://app.example.com"

# --- Nginx: allow a named origin (use the explicit origin, not * with credentials) ---
add_header 'Access-Control-Allow-Origin' 'https://app.example.com' always;

# --- Nginx: answer the preflight for a JSON PUT/PATCH/DELETE ---
location /api/ {
  if ($request_method = OPTIONS) {
    add_header 'Access-Control-Allow-Origin'  'https://app.example.com' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, PATCH, DELETE' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always;
    add_header 'Access-Control-Max-Age' 86400 always;
    return 204;
  }
  # ...proxy_pass to your app
}

# --- Credentialed request: explicit origin + the only valid credentials value ---
add_header 'Access-Control-Allow-Origin'      'https://app.example.com' always;
add_header 'Access-Control-Allow-Credentials' 'true' always;  # 'true' is the ONLY valid value

Three rules cover most of the named errors. First, for CORSMethodNotFound on a verb like PUT, PATCH, or DELETE, add it to Access-Control-Allow-Methods — note that GET, HEAD, and POST are always permitted as CORS-safelisted methods even if you omit them, so a missing method only matters for the other verbs. Second, for CORSMissingAllowHeaderFromPreflight, the preflight response must include Access-Control-Allow-Headers covering whatever the request listed in Access-Control-Request-Headers (commonly Authorization or Content-Type). Third, for credentialed requests, never combine a wildcard with credentials.

If you do not control the server at all, you have two escapes MDN notes: route the call through a proxy you do control so the browser talks to a same-origin endpoint, or restructure the request as a simple request so it skips preflight. Neither is a substitute for fixing the upstream headers, but both unblock you.

Make the failure agent-readable

Every CORS guide ends here: open DevTools, read two panels, add a header. That loop assumes a human is sitting in front of the browser cross-referencing the console reason against the preflight response. The evidence is split across two places and exists only in that one DevTools session. Paste the console line into a chat with an AI agent and you have thrown away the half that matters — the preflight response headers that name the missing Allow-*.

This is the wedge BugMojo is built on. The browser extension captures the failing exchange as one artifact: the OPTIONS preflight with its response headers, the matching console CORS error string, and the originating fetch that triggered it, lined up together. The MCP server hands that bundle to an AI coding agent — Claude Code, Cursor — as structured evidence. The agent sees the preflight, sees that Access-Control-Allow-Origin is absent, sees the request that needed it, and names the exact server-side fix instead of guessing from a pasted error line.

Feature	Browser DevTools	Error monitoring (Sentry)	BugMojo
Live, full DevTools network/console depth	✓	partial	partial
Mature production error aggregation & alerting	—	✓	early
Preflight OPTIONS + console error captured as one artifact	manual	—	✓
Shareable one-click capture (no copy-paste)	—	partial	✓
Failing exchange exposed to an AI agent over MCP	—	—	✓
Agent names the server-side fix from the evidence	—	—	✓

Honest two-sided view. DevTools and error-monitoring tools beat BugMojo on breadth and production maturity; the agent-readable capture that pairs the preflight with the console error is the row they do not have.

A CORS error is the server's missing header echoed back by the browser. Read the preflight next to the console reason and the fix names itself.
BugMojo engineering

Capture the failing preflight and console error together

Install the free BugMojo extension to capture the OPTIONS preflight, the console CORS reason, and the originating fetch as one shareable artifact — then let an AI agent name the server-side fix over MCP. No project setup required.

Install the extension

Frequently asked questions

Sources

Get bug-tracking insights, weekly.

Engineering deep-dives, QA playbooks, and honest tool comparisons. No spam — unsubscribe in one click.