How to fix a CORS error (the secure way)
The quickest 'fix' for a CORS error — allowing all origins with a wildcard — is also a security hole: it lets any website call your API from a victim's browser. The right fix allows only the origins you trust.
Step by step
- 1
Understand what CORS protects
CORS controls which web origins may read responses from your API in a browser. A wildcard ('*') or reflecting any Origin disables that protection.
- 2
Allowlist specific origins
Set Access-Control-Allow-Origin to your exact frontend origin(s) — e.g. https://app.example.com — not '*'. Maintain a server-side list of trusted origins.
- 3
Be careful with credentials
If you send cookies, you cannot use '*' — you must echo a specific allowed origin and set Access-Control-Allow-Credentials: true only for trusted origins.
- 4
Verify with our CORS checker
Re-check your endpoint to confirm it no longer allows arbitrary origins and that credentialed requests are limited to origins you trust.
Want it verified, not just fixed?
Fixing it is step one. A ClearedToShip review confirms the fix actually holds and gives you a signed, insured clearance to launch. Join early access: