Why am I getting a CORS error? — a practical guide
The browser console says "blocked by CORS policy". What that actually means, why it happens, and three ways to fix it — with code.
Working notes from the team behind corsproxy.dev. Plain-English explanations and honest tradeoffs.
The browser console says "blocked by CORS policy". What that actually means, why it happens, and three ways to fix it — with code.
The one-line dev fix, the production-ready allowlist, the per-route configuration, and the common gotchas — with copy-paste code.
Your login sets a cookie but the next request comes back logged out. The four moving parts that all have to align, with code and the most common failures.
Vite proxy config, webpack-dev-server, server-side CORS, a flag-disabled browser, and a CORS proxy. Five practical fixes, ordered by how production-safe each one is.
cors-anywhere, allorigins, ThingProxy, corsproxy.io, and corsproxy.dev. Which ones are still maintained, what their limits are, and what to watch out for.
CORS proxies are powerful and, by default, dangerous. Here's how an open relay can be weaponised, and what corsproxy.dev does to make sure ours isn't one.
Same proxy core, two operational shapes. Cost, control, security, and ops — when each one wins, and how to switch between them.
The public cors-anywhere.herokuapp.com demo is rate-limited to ~50 requests per hour. Here's the drop-in migration path with code for vanilla fetch, Axios, and helper wrappers.
Logging policy, GDPR posture, authentication header forwarding, self-hosting options, and other things people email us about.