CORS policy blocks access to webapp

Are you looking for help?

This is a support forum for reporting issues related to Backendless services. Please note that due to our support policy we cannot provide you help with debugging your code, consulting in regards to any language or third-party library usage. For this kind of questions we recommend using more appropriate forums like Stack Overflow.

In order to suggest you a quality solution, we shall usually ask you to provide the details mentioned below first. Including them into your topic right away helps us to start investigating your issue much faster.

In case you have a suggestion or an idea, the details below are not always required, though still any additional background is welcome.

Backendless Version (3.x / 5.x, Online / Managed / Pro )


Client SDK (REST / Android / Objective-C / Swift / JS )

Application ID

Expected Behavior

Please describe the expected behavior of the issue, starting from the first action.

Webapp works without CORS error in the browser console

Actual Behavior

Please provide a description of what actually happens, working from the same starting point.

Be descriptive: “it doesn’t work” does not describe what the behavior actually is – instead, say “the request returns a 400 error with message XXX”. Copy and paste your logs, and include any URLs.

After deploying the webapp a CORS error blocks requests from the browser:

Reproducible Test Case

Please provide a simple code that could be run in a new clean app and reproduce the issue.

If the issue is more complex or requires configuration, please provide a link to a project on Github that reproduces the issue.

Hello @Oliver_Donnerhak

We will investigate your problem and answer you as soon as possible.


@Oliver_Donnerhak what is the domain and port where you try to login?
also what value do you get of Access-Control-Allow-Origin header?

The following URL I try to use to login

also what value do you get of Access-Control-Allow-Origin header?

The login request does not have any header like this.
Other requests have Access-Control-Allow-Origin: *

@Oliver_Donnerhak I am toking about response Access-Control-Allow-Origin header

@sergey.kuk Yes, I know - but as the request is blocked there is no response.
You can try it at

@Oliver_Donnerhak to avoid CORS you can export request as curl

I have done it for you:

ksv@ip-192-168-1-145 ~ % curl '' -H 'Accept: application/json' -H 'Referer:' -H 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.149 Safari/537.36' -H 'Content-Type: application/json' --data-binary '{"email":"test","password":"test"}' --compressed -i

HTTP/1.1 404 Not Found
X-Powered-By: Express
Content-Security-Policy: default-src 'none'
X-Content-Type-Options: nosniff
Content-Type: text/html; charset=utf-8
Content-Length: 237
Date: Wed, 15 Apr 2020 07:37:51 GMT
Connection: keep-alive

<!DOCTYPE html>
<html lang="en">
<meta charset="utf-8">
<pre>Cannot POST /api/5978627C-79F8-A1C4-FFEE-82D04295B100/472ABB42-DDF0-4CDD-B324-E03E1E7DDA69/services/auth/login</pre>

As you can see your load balancer do know anything about /api/5978627C-79F8-A1C4-FFEE-82D04295B100/472ABB42-DDF0-4CDD-B324-E03E1E7DDA69/services/auth/login

and the response does not contain CORS that is why the browser does not handle the request.