CORS error: No Access-Control-Allow-Origin header - Rocketeers app [ Rocketeers ](/) [Login](https://rocketeersapp.com/login) On this page Knowledge --------- CORS error: No Access-Control-Allow-Origin header ================================================= ### [\#Errors](https://rocketeersapp.com/knowledge/errors) A CORS error means the browser blocked a cross-origin request because the server did not return the right headers. The fix is to send Access-Control-Allow-Origin from the API, not to disable browser security. Published by [Mark van Eijk](https://rocketeersapp.com/author/mark-van-eijk) on June 23, 2026 · 1 minute read 1. [About the error](#content-about-the-error) 2. [Why do I see this error](#content-why-do-i-see-this-error) 3. [Solution](#content-solution) 4. [Laravel](#content-laravel) 5. [nginx](#content-nginx) 6. [Don't "fix" it in the browser](#content-dont-fix-it-in-the-browser) [\#](#content-about-the-error "Permalink")About the error --------------------------------------------------------- In the browser console you see something like: ``` Access to fetch at 'https://api.example.com/users' from origin 'https://app.example.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. ``` CORS (Cross-Origin Resource Sharing) is a browser security mechanism. When your frontend on one origin calls an API on another origin, the browser only exposes the response if the API explicitly allows that origin via response headers. No header, blocked request. [\#](#content-why-do-i-see-this-error "Permalink")Why do I see this error ------------------------------------------------------------------------- - The API doesn't send an `Access-Control-Allow-Origin` header. - The frontend and API are on different origins (different domain, subdomain, port, or scheme). - A **preflight** `OPTIONS` request (sent for non-simple requests) isn't being answered correctly. - Credentials (cookies) are involved but the headers don't permit them. Note the error is reported by the browser. The request often reaches your server fine, the browser just hides the response from your JavaScript. [\#](#content-solution "Permalink")Solution ------------------------------------------- ### [\#](#content-laravel "Permalink")Laravel Laravel has built-in CORS handling. Configure the allowed origins in `config/cors.php`: ``` 'paths' => ['api/*', 'sanctum/csrf-cookie'], 'allowed_methods' => ['*'], 'allowed_origins' => ['https://app.example.com'], 'allowed_headers' => ['*'], 'supports_credentials' => true, ``` Set `supports_credentials` to `true` only if you send cookies, and in that case `allowed_origins` cannot be `*`, it must list explicit origins. Clear config after editing: ``` php artisan config:clear ``` ### [\#](#content-nginx "Permalink")nginx If you serve the API directly through nginx, add the headers in the relevant `location` block and answer the preflight `OPTIONS` request: ``` location /api/ { add_header 'Access-Control-Allow-Origin' 'https://app.example.com' always; add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always; add_header 'Access-Control-Allow-Headers' 'Authorization, Content-Type' always; if ($request_method = OPTIONS) { return 204; } } ``` ### [\#](#content-dont-fix-it-in-the-browser "Permalink")Don't "fix" it in the browser Disabling web security with a browser flag or a proxy extension only hides the error on your machine, every real visitor still gets blocked. CORS must be solved on the server that owns the API. ### Subscribe to our newsletter Do you want to receive regular updates with fresh and exclusive content to learn more about web development, hosting, security and performance? Subscribe now! Fill in your email address to receive updates Subscribe #### More in [\#Errors](https://rocketeersapp.com/knowledge/errors) - [Error in the HTTP2 framing layer](https://rocketeersapp.com/knowledge/error-in-the-http2-framing-layer) - [413 Request Entity Too Large in nginx](https://rocketeersapp.com/knowledge/413-request-entity-too-large) - [403 Forbidden in nginx](https://rocketeersapp.com/knowledge/403-forbidden-nginx) - [ERR\_TOO\_MANY\_REDIRECTS (redirect loop)](https://rocketeersapp.com/knowledge/err-too-many-redirects) - [curl (60) SSL certificate problem: unable to get local issuer certificate](https://rocketeersapp.com/knowledge/curl-60-ssl-certificate-problem-unable-to-get-local-issuer-certificate) - [NET::ERR\_CERT\_AUTHORITY\_INVALID](https://rocketeersapp.com/knowledge/net-err-cert-authority-invalid) [View all 11 articles →](https://rocketeersapp.com/knowledge/errors)