Response to preflight request doesn't pass access control check

avatar
Borislav Hadzhiev

Last updated: Mar 7, 2024
6 min

banner

# Response to preflight request doesn't pass access control check

The error "Response to preflight request doesn't pass access control check" occurs for multiple reasons:

  1. The server you are making an HTTP request to doesn't send back the correct CORS headers.
  2. You have specified an incorrect or incomplete URL when making the HTTP request.
  3. You have specified the wrong protocol in the URL.
  4. You have specified the wrong HTTP method or headers when making the HTTP request.
shell
Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://localhost' is therefore not allowed access. Error 405

CORS is a mechanism that allows a server to use a combination of HTTP headers to indicate from which domains, other than its own, it receives requests.

By default, servers only take requests made from applications hosted on the same domain.

If your server is hosted on http://example.com, for you to be able to make an HTTP request from http://localhost:3000, your server has to send the necessary CORS headers in its responses.

To allow other origins to make requests to your server, you have to set the Access-Control-* headers in your server's responses.

The server should be setting the following CORS headers along with the response.

cors
# ๐Ÿ‘‡๏ธ your domain below, e.g. http://localhost:3000 Access-Control-Allow-Origin: http://example.com Access-Control-Allow-Methods: POST, PUT, PATCH, GET, DELETE, OPTIONS Access-Control-Allow-Headers: Origin, X-Api-Key, X-Requested-With, Content-Type, Accept, Authorization

You might have to tweak the values depending on your use case but open the Network tab in your browser, click on the request and check if your server is setting these CORS-related headers.

cors headers server responds with

The headers are:

  • Access-Control-Allow-Origin - which origins are allowed to make requests to the server.
  • Access-Control-Allow-Methods - which HTTP methods the origins are allowed to use when making requests to the server.
  • Access-Control-Allow-Headers - which HTTP headers the origins are allowed to use when making requests to the server.
  • Access-Control-Allow-Credentials - whether to expose the server response to the frontend when the request's credentials mode is set to include. When credentials mode is set to include, our frontend will always send user credentials (i.e. cookies, auth headers) even for CORS calls.

There is also an Access-Control-Allow-Credentials header. Setting it to true is only necessary if your browser sends user credentials with requests (e.g. cookies or the Authorization header).

cors
# ๐Ÿ‘‡๏ธ only if your browser sends user credentials (cookies or Auth headers) Access-Control-Allow-Credentials: true
If you can't get the CORS options working, try using the * (asterisk) symbol as the origin and see if that works.

When an asterisk * is set for the Access-Control-Allow-Origin header, any origin on the internet can access the server.

cors
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, PUT, PATCH, GET, DELETE, OPTIONS Access-Control-Allow-Headers: *

You would want to narrow this down in production, but it's a useful tool when debugging.

Note that the Access-Control-Allow-Credentials header cannot be set to true if Access-Control-Allow-Origin is set to an asterisk *.

When the Access-Control-Allow-Headers is set to an asterisk, all headers are allowed in a preflight request.

If you use a server like Nginx or Apache, you have to configure it to send the Access-Control-Allow-* headers to allow other origins to make HTTP requests to it.

There are usually packages that take care of CORS for you if you use mainstream backend frameworks, such as Express.js.

You can google for "enable CORS for my_framework", e.g. "enable CORS for express.js".

In the case of Express.js, this is handled by the CORS module which automatically sends the specified Access-Control-Allow-* headers on server responses.

# Make sure that the specified URL is correct and complete

Make sure that the URL you've specified when making the HTTP request is correct and complete.

  • The URL has to include the protocol, e.g. http:// or https:// if you're testing on localhost without an SSL certificate.
  • The path has to be correct e.g. /posts.
  • The HTTP method (e.g. GET or POST) has to be correct for the specific path (e.g. /posts).
If you misspell any of the configurations when making the HTTP request, e.g. a property in the headers object or the HTTP method, the error occurs.

For example, if you use the native fetch API to make an HTTP request, your request looks something like the following.

index.js
async function getUser() { try { const response = await fetch('https://randomuser.me/api/', { method: 'GET', headers: { accept: 'application/json', }, }); if (!response.ok) { throw new Error(`Error! status: ${response.status}`); } const result = await response.json(); return result; } catch (err) { console.log(err); } } getUser();

If you're making a POST, PUT or PATCH request, make sure the body is passed to the JSON.stringify() method unless the library that you use does that automatically for you.

For example, when using fetch, you have to manually convert the body you're sending over the network to JSON.

If the URL, path, HTTP method, headers and body of your HTTP request are correct, the most likely cause of the error is your server not sending the correct CORS HTTP headers that would allow your browser to make an HTTP request.

Try setting the following HTTP response headers on your server.

cors
# ๐Ÿ‘‡๏ธ your domain below, e.g. http://localhost:3000 Access-Control-Allow-Origin: http://example.com Access-Control-Allow-Methods: POST, PUT, PATCH, GET, DELETE, OPTIONS Access-Control-Allow-Headers: Origin, X-Api-Key, X-Requested-With, Content-Type, Accept, Authorization

If that doesn't work, set the Access-Control-Allow-Origin to an asterisk to allow HTTP requests from all origins and make an HTTP request to the server again.

cors
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: POST, PUT, PATCH, GET, DELETE, OPTIONS Access-Control-Allow-Headers: *

Once you get CORS working, you can narrow down the values of the Access-Control-Allow-* headers.

# If you don't have access to the server, use a proxy

A proxy is a server that sits between the client (browser) and the server you need to make an HTTP request to.

If you aren't able to set the Access-Control-Allow-* response headers on the server, you can make an HTTP request to a proxy, which makes an HTTP request to the other server.

This is possible because the same origin policy isn't enforced when making requests from one server to another.

If your proxy server sends the correct Access-Control-Allow-* headers to your client (browser), then it can just fetch the information from the other server and respond with it.

Here is an example of a simple proxy using Express.js.

In order to use it, you first have to install the dependencies.

shell
npm install express

The proxy consists of the following code stored in an index.js file.

index.js
const express = require('express'); const app = express(); app.use((_req, res, next) => { res.header('Access-Control-Allow-Origin', '*'); res.header('Access-Control-Allow-Headers', '*'); next(); }); app.get('/users', async (_req, res) => { const url = 'https://randomuser.me/api/'; try { const response = await fetch(url); if (!response.ok) { throw new Error(`Error! status: ${response.status}`); } const result = await response.json(); return res.json(result); } catch (error) { console.log(error); return res.status(500).json({error: 'An error occurred'}); } }); const port = 3456; app.listen(port, () => console.log(`Server running on http://localhost:${port}`), );

You can start the proxy server with the node index.js command.

shell
node index.js

You can make an HTTP request to http://localhost:3456/users to get a response with the data.

make http request to proxy

We set the Access-Control-Allow-Origin and Access-Control-Allow-Headers headers to an asterisk to allow all origins to make requests to the proxy server.

The next step is to make an HTTP request to the other server and send the response to the client.

The proxy server simply sits between the browser and the other server and takes advantage of the fact that one server can make an HTTP request to another without having to pass CORS checks.

Alternatively, you can use a proxy server that makes a request to the specified URL and responds with the result.

The cors-anywhere package is a NodeJS proxy which adds CORS headers to the proxied request.

# Using the cors-anywhere package as a proxy

You can use the following command to install the cors-anywhere package.

shell
npm install cors-anywhere

Here are the contents of a simple implementation of the proxy server stored in an index.js file.

index.js
const cors_proxy = require('cors-anywhere'); const host = process.env.HOST || '0.0.0.0'; // Listen on a specific port via the PORT environment variable const port = process.env.PORT || 8080; cors_proxy .createServer({ originWhitelist: [], // Allow all origins }) .listen(port, host, function () { console.log('Running CORS Anywhere on ' + host + ':' + port); });

You can start the proxy server with the node index.js command.

shell
node index.js

The server is available at http://localhost:8080.

As shown in the docs, the URL to proxy is taken from the path.

Here are some examples.

shell
# ๐Ÿ‘‡๏ธ makes a request to randomuser.me/api http://localhost:8080/randomuser.me/api # ๐Ÿ‘‡๏ธ makes a request to google.com http://localhost:8080/google.com

make http request using proxy server

The concept is the same - the proxy server makes an HTTP request to the specified URL and sends the response data back to the client.

# Conclusion

To solve the error "Response to preflight request doesn't pass access control check", make sure:

  1. Your server sends back all the necessary CORS headers to enable requests from a different origin.
  2. You haven't specified an incorrect or incomplete URL when making the request.
  3. You haven't specified the wrong protocol in the URL.
  4. You haven't specified a wrong HTTP method or headers when making the request.
I wrote a book in which I share everything I know about how to become a better, more efficient programmer.
book cover
You can use the search field on my Home Page to filter through all of my articles.

Copyright ยฉ 2024 Borislav Hadzhiev