FastAPI CORS Errors Explained and Fixed Before You Blame the Frontend
A practical FastAPI CORS guide covering browser preflight behavior, allowed origins, middleware setup, credentials, and why “it works in Postman” proves almost nothing.
The classic trap: developers test an endpoint with Postman, it works, then the browser blocks the request and everyone starts blaming the frontend. That usually means you are dealing with CORS, not a broken API route.
What CORS is actually protecting
CORS stands for Cross-Origin Resource Sharing. Browsers enforce it when frontend code from one origin tries to talk to another origin.
An origin is a combination of:
- protocol
- domain
- port
So these are different origins:
http://localhost:3000
http://localhost:8000
https://myapp.comEven localhost becomes different if the port changes.
Why Postman misleads people
Postman is not a browser. It does not enforce browser CORS rules the same way. So “the endpoint works in Postman” does not prove the browser should accept it.
If your frontend is blocked but Postman works, that is often evidence for a CORS issue, not against it.
The correct FastAPI middleware setup
Use CORSMiddleware:
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware
app = FastAPI()
origins = [
"http://localhost:3000",
"http://127.0.0.1:3000",
]
app.add_middleware(
CORSMiddleware,
allow_origins=origins,
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)That is the basic pattern documented by FastAPI.
A common bad setup
People often try this in development:
allow_origins=["*"]and then also set:
allow_credentials=TrueThat combination is not what many people think it is. Wildcard-origin behavior and credentialed requests do not mix cleanly for browser security reasons. If your frontend sends cookies or authorization credentials, define explicit origins instead of using *.
What a preflight request is
Before some cross-origin requests, the browser sends an OPTIONS request first. That is a preflight request. It asks the server whether the real request is allowed.
If your backend or proxy mishandles the preflight, the actual request may never happen.
This is why logs matter. If the browser says CORS failed, check whether the backend even answered the OPTIONS request correctly.
A useful debugging checklist
When the browser reports a CORS failure, check:
- what exact frontend origin is making the request
- whether that origin appears in
allow_origins - whether the request uses credentials
- whether the backend is replying to preflight
OPTIONS - whether a reverse proxy is stripping headers
Development example with frontend on port 3000
If your React or Next.js frontend runs on:
http://localhost:3000and FastAPI runs on:
http://localhost:8000then this is cross-origin and you need CORS middleware.
Why proxies can make this worse
Sometimes FastAPI is configured correctly but the real deployment still fails because:
- Nginx strips response headers
- a platform proxy overrides behavior
- the request reaches a different service than expected
So if local development works but staging fails, check the response headers in the browser network tab, not only your Python code.
Final recommendation
Do not “fix” CORS by turning everything into a wildcard unless you understand the security tradeoff and the credential behavior. A better default is explicit allowed origins in development and production.
CORS bugs look mysterious when you treat them as frontend drama. They become much simpler when you remember one rule: the browser is enforcing origin policy, and your backend has to answer that policy clearly.