Knowledge

CORS error: No Access-Control-Allow-Origin header

#Errors

A CORS error means the browser blocked a cross-origin request because the server did not return the right headers. The fix is to send Access-Control-Allow-Origin from the API, not to disable browser security.

Published by Mark van Eijk on June 23, 2026 · 1 minute read

  1. About the error
  2. Why do I see this error
  3. Solution
  4. Laravel
  5. nginx
  6. Don't "fix" it in the browser

About the error

In the browser console you see something like:

Access to fetch at 'https://api.example.com/users' from origin
'https://app.example.com' has been blocked by CORS policy:
No 'Access-Control-Allow-Origin' header is present on the requested resource.

CORS (Cross-Origin Resource Sharing) is a browser security mechanism. When your frontend on one origin calls an API on another origin, the browser only exposes the response if the API explicitly allows that origin via response headers. No header, blocked request.

Why do I see this error

  • The API doesn't send an Access-Control-Allow-Origin header.
  • The frontend and API are on different origins (different domain, subdomain, port, or scheme).
  • A preflight OPTIONS request (sent for non-simple requests) isn't being answered correctly.
  • Credentials (cookies) are involved but the headers don't permit them.

Note the error is reported by the browser. The request often reaches your server fine, the browser just hides the response from your JavaScript.

Solution

Laravel

Laravel has built-in CORS handling. Configure the allowed origins in config/cors.php:

'paths' => ['api/*', 'sanctum/csrf-cookie'],
'allowed_methods' => ['*'],
'allowed_origins' => ['https://app.example.com'],
'allowed_headers' => ['*'],
'supports_credentials' => true,

Set supports_credentials to true only if you send cookies, and in that case allowed_origins cannot be *, it must list explicit origins. Clear config after editing:

php artisan config:clear

nginx

If you serve the API directly through nginx, add the headers in the relevant location block and answer the preflight OPTIONS request:

location /api/ {
    add_header 'Access-Control-Allow-Origin' 'https://app.example.com' always;
    add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
    add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always;

    if ($request_method = OPTIONS) {
        return 204;
    }
}

Don't "fix" it in the browser

Disabling web security with a browser flag or a proxy extension only hides the error on your machine, every real visitor still gets blocked. CORS must be solved on the server that owns the API.

Subscribe to our newsletter

Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now!

Related articles

Error in the HTTP2 framing layer

A CORS error means the browser blocked a cross-origin request because the server did not return the right headers. The fix is to send Access-Control-Allow-Origin from the API, not to disable browser security.

Read more →

413 Request Entity Too Large in nginx

A CORS error means the browser blocked a cross-origin request because the server did not return the right headers. The fix is to send Access-Control-Allow-Origin from the API, not to disable browser security.

Read more →