Elevatools
Developer

CORS, finally explained

Why your fetch fails, and the headers that make it work.

Elevatools Team·2026-01-15· 3 min
Share

The rule

Browsers block cross-origin XHR/fetch unless the server explicitly allows it via headers.

The headers

  • Access-Control-Allow-Origin — the calling origin.
  • Access-Control-Allow-Credentials — set true to allow cookies.
  • Access-Control-Allow-Methods — list of allowed verbs.
  • Access-Control-Allow-Headers — list of allowed custom headers.

Preflight

Browsers send an OPTIONS request first for any “non-simple” request. The server must respond 200 with the right headers, or the real request never fires.

Cookies

Allow-Credentials: true + Allow-Origin MUST be a specific origin (not *).

Related reads
Developer
Regex for beginners: the only 10 patterns you need
Developer
Why a good JSON formatter saves you 10 hours a month