Question 1

What is CORS and why do I get CORS errors?

Accepted Answer

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that blocks requests from one domain to another unless the server explicitly allows it with Access-Control headers. You get CORS errors when your frontend (e.g. localhost:3000) calls an API on a different origin (e.g. api.yourdomain.com) and the API does not include the correct CORS headers in its response.

Question 2

How do I fix CORS errors in Next.js?

Accepted Answer

You have two options. For app-wide CORS, add a middleware.ts file at the project root that intercepts requests matching /api/* and adds the Access-Control headers. For per-route CORS, export an OPTIONS handler in your route file that returns the CORS headers with a 204 status. Both approaches need to handle preflight OPTIONS requests.

Question 3

Should I use Access-Control-Allow-Origin: * in production?

Accepted Answer

No. A wildcard origin allows any website to make requests to your API, which is a security risk for authenticated endpoints. In production, list the specific origins that should have access. The wildcard is acceptable for truly public APIs that serve anonymous data with no authentication.

Question 4

What is a preflight request?

Accepted Answer

A preflight request is an automatic OPTIONS request the browser sends before certain cross-origin requests. It happens when the request uses a method other than GET, HEAD, or POST, or includes custom headers like Authorization. The server must respond with the allowed methods and headers. Caching preflight responses with Access-Control-Max-Age reduces repeated OPTIONS requests.

Question 5

Why does credentials: true not work with wildcard origins?

Accepted Answer

Browsers enforce a security rule that rejects Access-Control-Allow-Origin: * when credentials (cookies, Authorization headers) are included. When you need credentials, the server must echo back the exact requesting origin instead of using a wildcard. This prevents any arbitrary site from making authenticated requests to your API.

Question 6

What headers should I allow in CORS?

Accepted Answer

At minimum, allow Content-Type so clients can send JSON. If your API uses token-based auth, add Authorization. Only allow headers your API actually reads. Each additional header expands the attack surface slightly, so avoid blanket allowlists. Common additions are X-Requested-With for AJAX libraries and X-CSRF-Token for CSRF protection.

CORS Configuration Generator

Framework

Allowed Origins

Allowed Methods

Allowed Headers

Allow Credentials

Preflight Cache (Max-Age)

Generated Next.js Code

More Free Tools

Building a SaaS?