Cors

CORS: The Complete Handbook for Modern Web APIs Cross-Origin Resource Sharing, or CORS, is one of the most misunderstood parts of web development. Teams lose hours to it because the browser error messages feel vague, framework defaults vary wildly, and many blog posts reduce the topic to “just add Access-Control-Allow-Origin: *”. That advice is often wrong. CORS is not an authentication system, not a CSRF defense, and not a server-to-server access control mechanism. It is a browser-enforced policy layer that decides whether frontend JavaScript running on one origin may read a response from another origin. ...

Discord bot developers hit the same wall over and over: the bot works fine from Node.js, then somebody adds a web dashboard and the browser starts screaming about CORS. I’ve seen this happen with moderation bots, music bots, internal community tools, and “quick” admin panels that turned into production apps. The pattern is predictable: the bot token works on the server somebody tries to call Discord directly from frontend JavaScript preflight requests fail, or worse, the token gets exposed the team starts sprinkling Access-Control-Allow-Origin: * everywhere and hopes for the best That’s not how you want to build a Discord bot dashboard. ...

If you’re debugging “CORS errors with SendGrid webhooks,” there’s a decent chance you’re solving the wrong problem. I’ve seen teams burn hours tweaking Access-Control-Allow-Origin on webhook endpoints that were never meant to be called by a browser in the first place. SendGrid webhooks are server-to-server callbacks. CORS is a browser enforcement layer. Those are two very different worlds. The real mess usually starts when someone tries to involve frontend JavaScript in webhook flows. ...

I’ve seen a lot of teams blame Heroku when their frontend suddenly starts throwing CORS errors after deployment. Usually, Heroku is not the problem. Heroku just makes bad CORS assumptions painfully visible. This case study comes from a very common setup: React frontend on one Heroku app or a custom domain Node/Express API on another Heroku app Everything works locally Production blows up with No 'Access-Control-Allow-Origin' header is present The painful part is that the app often looks fine in Postman, curl, or server-to-server tests. Then the browser blocks it anyway. ...

Chrome platform apps have always been a weird corner of the web platform. They look like web apps, use web APIs, and make HTTP requests like a browser. But they also run with elevated privileges and their network behavior does not match a normal tab. If you work on CORS-heavy APIs, that difference matters. This guide is the practical version: what changes, what still applies, and what headers you actually need. ...

Real-time apps make CORS weirder than plain old fetch(). A normal API request is easy to reason about: browser sends an Origin, server returns Access-Control-Allow-Origin, done. Real-time stacks like Socket.IO and SignalR add negotiation endpoints, long polling fallbacks, credentials, sticky sessions, and WebSocket upgrades. That combination creates the kind of bug where everything works locally, then production starts throwing “CORS policy blocked” while your websocket dashboard looks perfectly healthy. I’ve hit this enough times that I now treat real-time CORS as a separate problem, not just “API CORS but more.” ...

Headless CMS preview sounds simple until the browser gets involved. Your editor clicks “Preview draft”, your frontend tries to fetch unpublished content from a CMS API on another origin, and suddenly the browser throws a CORS error that says almost nothing useful. I’ve seen teams lose hours here because they treated preview like normal production API traffic. It isn’t. Preview usually combines the hardest parts of cross-origin browser security in one flow: ...

Cloudflare Access is great at putting identity in front of internal apps and APIs. CORS is great at making frontend apps talk to APIs across origins. Put them together and you get a setup that works well — until it really doesn’t. I’ve seen teams assume Cloudflare Access will “just handle” cross-origin browser requests. It won’t. Access solves authentication and authorization at the edge. CORS is still your job, and the browser is still brutally strict about it. ...

Shopify webhooks and CORS get mixed up constantly. I’ve seen teams burn hours “fixing CORS” on webhook endpoints that were never touched by a browser in the first place. Shopify sends webhooks server-to-server. Browsers enforce CORS. Those are different worlds. So the short version is: Shopify webhook delivery does not require CORS Your frontend talking to your backend may require CORS Your webhook endpoint should usually not be exposed for browser cross-origin access at all That distinction saves a lot of confusion. ...

A lot of teams treat CORS like a checkbox: add Access-Control-Allow-Origin, ship it, move on. That usually works right up until the frontend needs one custom header, auth cookies enter the picture, or someone decides * is fine everywhere. I’ve seen this go wrong in a very normal setup: a React frontend on app.example.com, an API on api.example.com, and a CDN in front of both. Nothing exotic. The bug report sounded simple: ...