Access-Control-Allow-Origin: Which origins are allowed (e.g., https://devref.cc). | Access-Control-Allow-Methods: Allowed methods (GET, POST, etc.). | Access-Control-Allow-Headers: Allowed request headers.

CORS blocked: Missing or mismatched Allow-Origin header. | Credentials issue: Allow-Credentials true but Allow-Origin is * (invalid). | Preflight failed: Server does not respond to OPTIONS correctly.

CORS Quick Guide

Understand Cross-Origin Resource Sharing and common browser errors.

When to Check CORS First

Check CORS early when a browser request fails but the same API works in curl or Postman. That usually means the backend is reachable, but the browser is blocking access because the origin, headers, credentials, or preflight response do not match.

What CORS Does

CORS allows browsers to permit cross-origin requests when the server explicitly allows them.

Key Response Headers

Key / Code	Description
Access-Control-Allow-Origin	Which origins are allowed (e.g., https://devref.cc).
Access-Control-Allow-Methods	Allowed methods (GET, POST, etc.).
Access-Control-Allow-Headers	Allowed request headers.
Access-Control-Allow-Credentials	Whether cookies/credentials are allowed.
Access-Control-Expose-Headers	Response headers accessible to JS.
Access-Control-Max-Age	Cache duration for preflight response.

Preflight Requests

Browsers send an OPTIONS request before certain cross-origin calls.

OPTIONS /api/items
Origin: https://devref.cc
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type

Common Errors

Key / Code	Description
CORS blocked	Missing or mismatched Allow-Origin header.
Credentials issue	Allow-Credentials true but Allow-Origin is * (invalid).
Preflight failed	Server does not respond to OPTIONS correctly.

Common CORS Mistakes

The most common mistake is trying to fix CORS only in frontend code. CORS is enforced by the browser and must be allowed by the server response, including correct handling of OPTIONS and consistent headers across success and error responses.

HTTP headers reference

Review the request and response headers that usually appear in CORS debugging sessions.

HTTP methods and safe request design

Understand which methods trigger preflight and how method choice affects browser behavior.

URL encoder and decoder

Inspect callback URLs and encoded redirect parameters while debugging browser requests.

Docker cheatsheet for local API debugging

Useful when your API server is running in containers and browser requests fail locally.

Knowledge is power.