Error3 Fixes Available

Access to fetch at 'X' has been blocked by CORS policy

Access to fetch at 'https://api.example.com/data' from origin 'http://localhost:3000' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

What does this error mean?

CORS (Cross-Origin Resource Sharing) is a browser security feature that prevents a website on one domain (like localhost:3000) from making fetch/XHR requests to another domain (like api.example.com) unless the server explicitly allows it.

Common Causes

The API server is missing the 'Access-Control-Allow-Origin' header
Calling an external API directly from the frontend browser code
Localhost development environment not whitelisted on the backend
The 'OPTIONS' preflight request failed or was rejected

How to Fix It (3 Solutions)

Use a Proxy (The Frontend Fix)

Route requests through your own backend or dev server to bypass browser CORS checks.

Code

// Next.js: next.config.mjs
const nextConfig = {
  async rewrites() {
    return [
      {
        source: '/api/:path*',
        destination: 'https://api.example.com/:path*',
      },
    ];
  },
};

// Now fetch from your own domain: fetch('/api/users')

Add CORS Headers (The Backend Fix)

If you control the API, add the Access-Control-Allow-Origin header.

Code

// Express.js
const cors = require('cors');
app.use(cors({ origin: 'http://localhost:3000' }));

// Python Flask
from flask_cors import CORS
CORS(app, resources={r"/api/*": {"origins": "*"}})

Use a Browser Extension (Dev Only)

For local testing, use the 'Allow CORS' Chrome extension to temporarily bypass the check.

Related Errors

HTTP

403 Forbidden — Access Denied

View fix

Error: EADDRINUSE — address already in use

View fix

Error: ENOENT — no such file or directory

View fix

Browse all error fixes