All Posts In Cors

False Alarm of CORS Error
Adam C. |
CORS error is very common when your application is using cross-domain APIs. Sometimes it could be a false alarm. When there are some other issues of your API server, for example, database connection issue or network issue, which causes “500” internal error, but the response headers of status 500 do not include “Access-Control-Allow-Origin”, so then the browser throws the error no matter what.
How I Finally Understood CORS, Preflight, and Custom Headers (For Real)
Adam C. |
After struggling with CORS and custom headers while trying to protect my API from scrapers, I finally learned how preflight requests work: any cross-origin request with a custom header or Content-Type: application/json triggers a preflight OPTIONS call. By default, app.use(cors()) allows everything, but to use custom headers and stricter origin checks, you need to configure origin, allowedHeaders, and optionally maxAge for better performance. Cloudflare rules must exclude OPTIONS requests, or they’ll break the preflight. Now, I use a custom header to verify real browser activity, and everything works reliably without blocking legitimate traffic.
🧠 Understanding CORS, Preflight, and Custom Headers in API Requests
Adam C. |
Over the course of implementing stricter API protection for a project using custom headers, Cloudflare, and Feathers.js, I went deep into how CORS, preflight requests, and custom headers work — and where performance can unexpectedly take a hit.