<figure class="image"><img src="https://images.unsplash.com/photo-1551867120-1d573ec3f1dd?ixlib=rb-1.2.1&amp;q=80&amp;fm=jpg&amp;crop=entropy&amp;cs=tinysrgb&amp;w=1080&amp;fit=max&amp;ixid=eyJhcHBfaWQiOjExODA5M30"><figcaption>Photo By; <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@arashasghari?utm_source=unsplash-chrome-extension&amp;utm_medium=referral">Arash Asghari</a></figcaption></figure>CORS error is very common when your application is using cross-domain APIs. The error message shown in your browser console is like below:<blockquote>Access to fetch at ‘https://your-api.com" from origin “https://your-site.com” has been blocked by CORS policy: No ’Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response servers your needs, set the request's mode to ‘no-cors’ to fetch the resource with CORS disabled.</blockquote>The key part of this message is: No ’Access-Control-Allow-Origin' header is present on the requested resource. To know if you have this issue, check out these two questions:<ol><li>Are the requesting site and the requested resource (i.e. API server) Cross-Origin? Which includes the different protocols (ex: http vs https) and/or the different domains and or the different ports.</li><li>Does the requested resource send the “Access-Control-Allow-Origin” header in the response?</li></ol>If you say yes to the first question, but say no to the second one, then you would need to fix this by setting up the CORS option in your response header. The solution could be different based on what API server you are using. For example, with the Apollo server, you can have options like below:<pre><code class="language-javascript">const options = {
 cors: {
 origin: *,
 credentials: true,
 methods: 'POST, GET, OPTIONS',
 allowedHeaders: [
 'Content-Type',
 'X-Amz-Date',
 'Authorization',
 'X-Api-Key',
 'X-Amz-Security-Token'
 ]
 }
};</code></pre>If you say yes to both questions, then very likely you're okay, and the CORS error is just a false alarm. &nbsp;In this case, you need to check the request and response header of your API (XHR) call, which can be found at the ‘Network’ tab of the browser's Inspect tool.&nbsp;You might see some Request Headers like:<pre><code class="language-plaintext">Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: cross-site</code></pre>This means the request is made by cross-site with ‘cors’ mode, so the browser will look for ‘Access-Control-Allow-Origin’ header in the response to make sure the request is allowed under CORS policy. When the header is not present, the browser will throw the error with the Eye-catching word “CORS”. It would be very confusing if you believe that you have CORS set up already, either open to everyone (with ‘*’) or to the whitelist of domains.Most likely, there are some other issues of your API server, for example, database connection issue or network issue, which causes “500” internal error, but the response headers of status 500 do not include “Access-Control-Allow-Origin”, so the browser throws the error no matter what.Worth to mention that the second part of the error message is even confusing:<blockquote>If an opaque response servers your needs, set the request's mode to ‘no-cors’ to fetch the resource with CORS disabled.</blockquote>You should know that setting “no-cors” as the request's mode does not help you to get cross-domain resource at all. Basically, it tells the browser that “Please don't show me any ‘cors' resource. ” I am 99.99% sure that it is not what you wanted. So just forget it. If you really wanted to know what it's like I did. Try to read <a target="_blank" rel="noopener noreferrer" href="https://stackoverflow.com/questions/39109789/what-limitations-apply-to-opaque-responses/39109790#39109790">this resource</a> 10 times. &nbsp;Be honest, I am still not very sure why we need “no-cors”.

CORS error is very common when your application is using cross-domain APIs. Sometimes it could be a false alarm. When there are some other issues of your API server, for example, database connection issue or network issue, which causes “500” internal error, but the response headers of status 500 do not include “Access-Control-Allow-Origin”, so then the browser throws the error no matter what.

False Alarm of CORS Error 

<blockquote>CHECK OUT A BETTER SOLUTION: https://deniapps.com/blog/understanding-cors-preflight-and-custom-headers-in-api-requests</blockquote>For the longest time, I thought I understood how CORS worked — until I started building protections for my API (<code>api.swimstandards.com</code>) against scrapers, and everything broke.Turns out, I had some pretty common misconceptions about CORS, preflight, and what really happens when the browser talks to a backend. So here's what I learned — broken down simply, and hopefully useful for anyone building a secure API on a subdomain.<figure class="image"><img src="https://images.unsplash.com/photo-1609398852723-a2be68f9ac4c?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=M3wxNTQwMTB8MHwxfHNlYXJjaHw0Nnx8Y29yc3xlbnwwfHx8fDE3NTYzMzg4MDh8MA&amp;ixlib=rb-4.1.0&amp;q=80&amp;w=1080"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@cici9265?utm_source=DNX&amp;utm_medium=referral">Cici Hung</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure><h2>🔍 What Triggered It</h2>I wanted to block scrapers hitting my /protected-url<code>=...</code> API endpoint directly. So I added a custom header on real frontend clicks only, then used a Cloudflare rule to block any API calls that didn’t include this header.It worked — but then it broke for everyone else. Why?Because I didn't understand how CORS preflight works with custom headers and cross-origin requests.<h2>✅ What I Learned (and You Should Too)</h2><h3>1. CORS is required when origins differ — even on localhost</h3>If you're running:Frontend at <code>http://localhost:3000</code>API at <code>http://localhost:3333</code>Then even though it’s the same machine, the ports are different, so the origin is different, and CORS kicks in.<h3>2. Preflight happens when your request isn’t "simple"</h3>Browsers send a preflight <code>OPTIONS</code> request if:You set a custom header (like x-ss-header)You use <code>Content-Type: application/json</code>You use <code>credentials: include</code>You send any method other than <code>GET</code>, <code>POST</code>, <code>HEAD</code>And yes, even just setting <code>Content-Type: application/json</code> is enough to trigger preflight.<h3>3. Preflight can silently fail — and block your real request</h3>If the backend doesn't respond properly to the preflight, the browser will:Never send the real requestSilently fail with a CORS errorAnd Cloudflare will never even see that request, because it never left the browser.<h3>4. <code>app.use(cors())</code> allows everything by default</h3>When using the <code>cors</code> package in Express:<pre><code class="language-plaintext">app.use(cors());</code></pre>This allows:All origins (<code>*</code>)All headersAll methodsBut if you want control — or to use <code>credentials: true</code> — you need to specify origin(s) and headers explicitly.<h3>5. My actual working CORS config</h3>I now use this:<pre><code class="language-plaintext">const allowedOrigins = new Set([
 "https://mydomain.com",
 "https://api.mydomain.com",
 "http://localhost:3000", // local dev
]);

app.use(cors({
 origin: function (origin, callback) {
 if (!origin || allowedOrigins.has(origin)) {
 callback(null, true);
 } else {
 console.warn("❌ Blocked CORS origin:", origin);
 callback(new Error("Not allowed by CORS"));
 }
 },
 credentials: true,
 allowedHeaders: [
 "Content-Type",
 "Authorization",
 "x-my-token", 
 ],
 maxAge: 600, // ⏱️ cache preflight for 10 minutes
}));
</code></pre><h3>6. Cloudflare rules must skip <code>OPTIONS</code> requests</h3>I had a Cloudflare rule like this:<pre><code class="language-plaintext">starts_with(http.request.full_uri, "https://api.mydomain/protected") 
and not len(http.request.headers["x-my-token"]) &gt; 0</code></pre>But that triggered on preflight <code>OPTIONS</code> too — where no headers are sent yet!✅ The fix:<pre><code class="language-plaintext">http.request.method ne "OPTIONS" 
and starts_with(http.request.full_uri, "https://api.mydomain/protected") 
and not len(http.request.headers["x-my-token"]) &gt; 0</code></pre>This skips preflight, and only challenges real requests missing the custom header.<h3>7. I don’t need to whitelist browser headers</h3>I used to think I had to add <code>User-Agent</code>, <code>Accept</code>, <code>Sec-CH-UA</code>, etc. to <code>allowedHeaders</code>.❌ Not true.✅ You only need to list headers you manually set via JavaScript (<code>axios</code>, <code>fetch</code>, etc.)So in my case:<pre><code class="language-plaintext">options.headers = {
 "content-type": "application/json",
 "x-my-token": generateSecretToken(),
 ...(options.headers || {}),
};
</code></pre>Therefore my <code>allowedHeaders</code> only needs to match these.<h3>8. Preflight isn't free, but caching helps</h3>Every preflight request is an extra round trip, which slows down your app if done often.By setting:<pre><code class="language-plaintext">maxAge: 600</code></pre>the browser will cache the preflight for 10 minutes per origin/endpoint combo — which is a good balance.<h2>🧠 Final Thoughts</h2>Before this, I underestimated just how much cross-origin behavior is affected by headers, preflight, and server responses.Now I’ve:Secured my API with custom headersUsed Cloudflare rules to block scrapersLet real browsers through — smoothlyLearned how preflight works for realIf you’ve ever had your <code>fetch()</code> or <code>axios</code> request fail with weird CORS errors — I hope this post saves you hours of debugging.

After struggling with CORS and custom headers while trying to protect my API from scrapers, I finally learned how preflight requests work: any cross-origin request with a custom header or Content-Type: application/json triggers a preflight OPTIONS call. By default, app.use(cors()) allows everything, but to use custom headers and stricter origin checks, you need to configure origin, allowedHeaders, and optionally maxAge for better performance. Cloudflare rules must exclude OPTIONS requests, or they’ll break the preflight. Now, I use a custom header to verify real browser activity, and everything works reliably without blocking legitimate traffic.

How I Finally Understood CORS, Preflight, and Custom Headers (For Real)

Over the course of implementing stricter API protection for a project using custom headers, Cloudflare, and Feathers.js, I went deep into how CORS, preflight requests, and custom headers work — and where performance can unexpectedly take a hit.This post summarizes what I learned.<figure class="image"><img src="https://images.unsplash.com/photo-1648461513491-c8dc79739211?crop=entropy&amp;cs=tinysrgb&amp;fit=max&amp;fm=jpg&amp;ixid=M3wxNTQwMTB8MHwxfHNlYXJjaHw3NHx8Y29yc3xlbnwwfHx8fDE3NTYzNDUwMDV8MA&amp;ixlib=rb-4.1.0&amp;q=80&amp;w=1080"><figcaption>Photo by <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/@miguelalcantara?utm_source=DNX&amp;utm_medium=referral">Miguel Alcântara</a> on <a target="_blank" rel="noopener noreferrer" href="https://unsplash.com/?utm_source=DNX&amp;utm_medium=referral">Unsplash</a></figcaption></figure><h2>✅ CORS and Preflight Basics</h2><h3>What triggers a preflight (OPTIONS) request?</h3>Any non-simple request will trigger a preflight. In my case:Cross-origin (main site calls a subdomain API)Uses <code>Content-Type: application/json</code>Uses custom headers like <code>ss-cleanup</code> or <code>x-dnxclient-id</code>Therefore, every request results in:An OPTIONS requestA full GET/POST request if preflight succeeds<h3>What’s a “simple request” (that avoids preflight)?</h3>Must satisfy:Method: <code>GET</code>, <code>POST</code>, or <code>HEAD</code>Content-Type: <code>application/x-www-form-urlencoded</code>, <code>multipart/form-data</code>, or <code>text/plain</code>No custom headers<h2>✅ Why My Requests Were Slower Than Expected</h2>My headers looked like this:<pre><code class="language-plaintext">headers: {
 "content-type": "application/json",
 "ss-cleanup": localStorage.getItem("SS-VENDOR_CLEANUP"),
 "x-dnxclient-id": generateNoise()
}
</code></pre>Which meant every fetch sent a preflight, costing ~100–300ms per request, even when calling between subdomains.<h2>✅ Cloudflare Rule to Block Bots</h2>To challenge non-browser bots, I used a custom header (<code>ss-cleanup</code>) that gets injected via real user interaction (mousedown, scroll, etc).Cloudflare rule:<pre><code class="language-plaintext">(starts_with(http.request.uri.path, "/dnxapi/meets")
 and not len(http.request.headers["ss-cleanup"]) &gt; 0
 and http.request.method ne "OPTIONS")
</code></pre><h3>✅ This works well:</h3>Does not block browser preflight requestsBlocks or challenges bots skipping JSCleanly integrates with your frontend<h2>✅ Safer CORS Setup in Feathers Backend (JUST IN CASE WE USE CORS)</h2><pre><code class="language-plaintext">const allowedOrigins = new Set([
 "https://example.com",
 "https://api.example.com",
 "https://community.example.com",
 "https://stg.example.com",
 "http://localhost:3000"
]);

app.use(cors({
 origin: function (origin, callback) {
 if (!origin || allowedOrigins.has(origin)) {
 callback(null, true);
 } else {
 callback(new Error("Not allowed by CORS"));
 }
 },
 credentials: true,
 allowedHeaders: [
 "Content-Type",
 "Authorization",
 "ss-cleanup", // Custom validation header
 "x-dnxclient-id" // Noise header to prevent silent failures
 ],
 maxAge: 600, // Cache preflight result for 10 minutes
}));</code></pre><h2>✅ Better Architecture: Proxy API Through Same Domain</h2>I migrated from:<pre><code class="language-plaintext">example.com (Next.js)
 ↘ fetch https://api.example.com</code></pre>To:<pre><code class="language-plaintext">example.com (Next.js + Apache)
 ↘ proxy /dnxapi/* → http://localhost:8888/*</code></pre><h3>🔥 Key Wins:</h3>✅ No more CORS preflight✅ No DNS lookup for subdomain✅ No cross-origin cookie issues✅ Faster + cleaner setup✅ Cloudflare security rules still work<pre><code class="language-plaintext">RewriteRule ^/dnxapi/(.*)$ http://localhost:8888/$1 [P,L]</code></pre><h2>📝 Notes &amp; Final Takeaways</h2>Access-Control-Max-Age is URL-specificPreflight result is cached per exact URL. Even a minor query change busts the cache.Changing to same-origin (via proxy) is the real fixRemoves CORS entirely – NO MORE PREFLIGHT!No DNS lookup.No cross-site concerns.Feels much faster.

Over the course of implementing stricter API protection for a project using custom headers, Cloudflare, and Feathers.js, I went deep into how CORS, preflight requests, and custom headers work — and where performance can unexpectedly take a hit.

All Posts In Cors