rest - Has been blocked by CORS policy: Response to preflight request doesn’t pass access control check - TagMerge
6Has been blocked by CORS policy: Response to preflight request doesn’t pass access control checkHas been blocked by CORS policy: Response to preflight request doesn’t pass access control check

Has been blocked by CORS policy: Response to preflight request doesn’t pass access control check

Asked 1 years ago
6 answers

I believe this is the simplest example:

header := w.Header()
header.Add("Access-Control-Allow-Origin", "*")
header.Add("Access-Control-Allow-Methods", "DELETE, POST, GET, OPTIONS")
header.Add("Access-Control-Allow-Headers", "Content-Type, Authorization, X-Requested-With")

You can also add a header for Access-Control-Max-Age and of course you can allow any headers and methods that you wish.

Finally you want to respond to the initial request:

if r.Method == "OPTIONS" {

Edit (June 2019): We now use gorilla for this. Their stuff is more actively maintained and they have been doing this for a really long time. Leaving the link to the old one, just in case.

Old Middleware Recommendation below: Of course it would probably be easier to just use middleware for this. I don't think I've used it, but this one seems to come highly recommended.

Source: link


This answer explains what's going on behind the scenes, and the basics of how to solve this problem in any language. For reference, see the MDN docs on this topic.

You are making a request for a URL from JavaScript running on one domain (say to an API running on another domain ( When you do that, the browser has to ask if it's okay to allow requests from It does that with an HTTP OPTIONS request. Then, in the response, the server on has to give (at least) the following HTTP headers that say "Yeah, that's okay":

HTTP/1.1 204 No Content                            // or 200 OK
Access-Control-Allow-Origin:  // or * for allowing anybody
Access-Control-Allow-Methods: POST, GET, OPTIONS   // What kind of methods are allowed
...                                                // other headers

If you're in Chrome, you can see what the response looks like by pressing F12 and going to the "Network" tab to see the response the server on is giving.

So, back to the bare minimum from @threeve's original answer:

header := w.Header()
header.Add("Access-Control-Allow-Origin", "*")

if r.Method == "OPTIONS" {

This will allow anybody from anywhere to access this data. The other headers he's included are necessary for other reasons, but these headers are the bare minimum to get past the CORS (Cross Origin Resource Sharing) requirements.

Source: link


Enable cross-origin requests in ASP.NET Web API click for more info

Enable CORS in the WebService app. First, add the CORS NuGet package. In Visual Studio, from the Tools menu, select NuGet Package Manager, then select Package Manager Console. In the Package Manager Console window, type the following command:

Install-Package Microsoft.AspNet.WebApi.Cors

This command installs the latest package and updates all dependencies, including the core Web API libraries. Use the -Version flag to target a specific version. The CORS package requires Web API 2.0 or later.

Open the file App_Start/WebApiConfig.cs. Add the following code to the WebApiConfig.Register method:

using System.Web.Http;
namespace WebService
    public static class WebApiConfig
        public static void Register(HttpConfiguration config)
            // New code

                name: "DefaultApi",
                routeTemplate: "api/{controller}/{id}",
                defaults: new { id = RouteParameter.Optional }

Next, add the [EnableCors] attribute to your controller/ controller methods

using System.Net.Http;
using System.Web.Http;
using System.Web.Http.Cors;

namespace WebService.Controllers
    [EnableCors(origins: "", headers: "*", methods: "*")]
    public class TestController : ApiController
        // Controller methods not shown...

Enable Cross-Origin Requests (CORS) in ASP.NET Core

Source: link


In this situation, you need to modify your code so that the request to the different origin does not contain CORS headers. In JavaScript, the behaviour can be achieved by passing {mode: 'no-cors'} in fetch:
fetch('', {mode: 'no-cors'})
If you have access to the server, you can configure the server to grab the value of the Origin header the client sends, then echo it back to Access-Control-Allow-Origin response header. In nginx configuration language, the setting can be set by placing the line below into the config file.
add_header Access-Control-Allow-Origin $http_origin

Source: link


In my Core WebApi , I have been configured Configure method in Startup.cs file like this:
But when I attempt to post data to an Action method (using axios) . Bellow error occure:
Access to XMLHttpRequest at 'my domain' from origin 'my domain' has been blocked by CORS policy: Response to preflight request doesn't pass access control check: No 'Access-Control-Allow-Origin' header is present on the requested resource.

Source: link


mkdir cors
cd cors
go mod init cors
go get
go get
        <meta charset="UTF-8" />
        <title>Fixing Common Issues with CORS</title>
        <h1>Fixing Common Issues with CORS</h1>
            <textarea id="messages" name="messages" rows="10" cols="50">Messages</textarea><br/>
            <form id="form1">
                <input type="button" value="Get v1" onclick="onGet('v1')"/>
                <input type="button" value="Get v2" onclick="onGet('v2')"/>
function onGet(version) {
    const url = "http://localhost:8000/api/" + version + "/messages";
    var headers = {}
    fetch(url, {
        method : "GET",
        mode: 'cors',
        headers: headers
    .then((response) => {
        if (!response.ok) {
            throw new Error(response.error)
        return response.json();
    .then(data => {
        document.getElementById('messages').value = data.messages;
    .catch(function(error) {
        document.getElementById('messages').value = error;
package main

import (

func main() {
	r := gin.Default()
	r.Use(static.Serve("/", static.LocalFile("./frontend", false)))

Source: link

Recent Questions on rest

    Programming Languages