Support Topics Documentation Slack YouTube Blog

Blocked by CORS policy: No 'Access-Control-Allow-Origin'

hi all,
I realize this is a rather common issue but unfortunately I have not been able to resolve it. I have a backendless 5 app, which I interact with without problems from iOS. I have built a web platform using Angular, and the JavaScript library you provide.

Everything works well when working form localhost, but I cannot get this to work when I deploy to Heroku. Just to give you the full picture, I have another backendless app (this time 3), also with an Angular frontend and deployed on Heroku, where everything works without problems with the same configuration.

Can you help or is there any additional information I can provide here to get past this issue? I have tried different things unsuccessfully, not sure if something needs to be configured differently on my backendless app or elsewhere

Thank you for your help

Hi @Alessandra_Saviotti,

See if this will help you:


thank you Mark, I have tried this even though my understanding is that the default (*) would always work as it allows all domains. I have now tried both the default and the exact web address I am using, but both return the same error.

Anything else? I’m stuck here unfortunately, thanks

With CORS the most important part is an HTTP request called OPTIONS. You can see it in the browser’s Network tab. Could you try to gather more information about what the browser sends to Backendless, what it receives back and what’s most importantly what’s missing in the response that results in the API calls being blocked? Once you have these findings, please post here and we will look into it.


thank you Mark, I have modified my server.js to include the access control strings that were supposed to sort this out:

app.use(function(req, res, next) {
res.header(“Access-Control-Allow-Origin”, ‘*’);
res.header(“Access-Control-Allow-Credentials”, true);
res.header(‘Access-Control-Allow-Methods’, ‘GET,PUT,POST,DELETE,OPTIONS’);
res.header(“Access-Control-Allow-Headers”, ‘Origin,X-Requested-With,Content-Type,Accept,content-type,application/json’);


Could you check what’s in the actual response for the POST request? I see it says there are 125 bytes in the response, I am curious what it shows.

1 Like

alright my bad, thank you so much for guiding me towards a solution, via the payload I could see that there was an error in the API KEY used, which was not set correctly for production (but only for development).

Not sure why the error triggered was something that seemed unrelated but the payload included the correct message, so that the application was not found (due to the wrong key).

All up and running now also in production, thank you again for your time and help

1 Like

Glad you got it working!

I am also having this CORS Policy error

for reference: I am working through

Task: Invoke the API Service using generated client SDK

I am unfamiliar with Javascript and am unsure where to look for my errors.

I imported the extra files
Screen Shot 2020-09-29 at 2.16.57 PM

I am not sure whee to go next. I’d like to start by removing the CORS error.

When i look in the console at domain control, I believe it is set how it should be to not produce this error.

Hi @jared_gibb,

I think it would be better to start a new topic for this problem.


Thank you mark