Access-Control-Allow-Origin: Which origins are allowed (e.g., https://devref.cc). | Access-Control-Allow-Methods: Allowed methods (GET, POST, etc.). | Access-Control-Allow-Headers: Allowed request headers.

CORS blocked: Missing or mismatched Allow-Origin header. | Credentials issue: Allow-Credentials true but Allow-Origin is * (invalid). | Preflight failed: Server does not respond to OPTIONS correctly.

CORS Quick Guide

Understand Cross-Origin Resource Sharing and common browser errors.

What CORS Does

CORS allows browsers to permit cross-origin requests when the server explicitly allows them.

Key Response Headers

Key / Code	Description
Access-Control-Allow-Origin	Which origins are allowed (e.g., https://devref.cc).
Access-Control-Allow-Methods	Allowed methods (GET, POST, etc.).
Access-Control-Allow-Headers	Allowed request headers.
Access-Control-Allow-Credentials	Whether cookies/credentials are allowed.
Access-Control-Expose-Headers	Response headers accessible to JS.
Access-Control-Max-Age	Cache duration for preflight response.

Preflight Requests

Browsers send an OPTIONS request before certain cross-origin calls.

OPTIONS /api/items
Origin: https://devref.cc
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type

Common Errors

Key / Code	Description
CORS blocked	Missing or mismatched Allow-Origin header.
Credentials issue	Allow-Credentials true but Allow-Origin is * (invalid).
Preflight failed	Server does not respond to OPTIONS correctly.

Knowledge is power.