🚀 How to Fix CORS Errors in Node.js & IIS (Complete Guide)
- support40837
- May 18
- 2 min read
CORS errors are one of the most frustrating issues developers face when connecting a frontend (React, Vite, Angular) to a backend (Node.js/Express). Everything works fine in Postman—but suddenly breaks in the browser.
If you’ve ever seen this error:
“Access to fetch at 'API URL' from origin 'Frontend URL' has been blocked by CORS policy…”
This guide will help you fix it step by step.
🔍 What is CORS?
CORS (Cross-Origin Resource Sharing) is a browser security feature that blocks requests from one domain to another unless explicitly allowed.
Example:
Frontend → http://localhost:5173
Backend → http://123.253.15.147:5000
👉 These are different origins, so the browser blocks the request unless the backend allows it.
⚠️ Why It Works in Postman but Not in Browser
Postman does not enforce CORS, but browsers do.
That’s why:
✅ API works in Postman
❌ Fails in frontend
✅ Solution 1: Enable CORS in Node.js (Express)
Install CORS middleware:
npm install corsThen update your server:
const cors = require("cors");app.use(cors({ origin: "http://localhost:5173", // your frontend URL credentials: true}));✅ Solution 2: Allow All Origins (Quick Fix)
app.use(cors());⚠️ Not recommended for production, but useful for testing.
✅ Solution 3: Fix CORS in IIS (Important for Deployment)
If you're using IIS with iisnode, you must allow headers at the server level.
Add this to web.config:
<configuration> <system.webServer> <httpProtocol> <customHeaders> <add name="Access-Control-Allow-Origin" value="*" /> <add name="Access-Control-Allow-Headers" value="Content-Type, Authorization" /> <add name="Access-Control-Allow-Methods" value="GET, POST, PUT, DELETE, OPTIONS" /> </customHeaders> </httpProtocol> </system.webServer></configuration>✅ Solution 4: Handle Preflight Requests (OPTIONS)
Browsers send an OPTIONS request before actual API calls.
Add this in Express:
app.options("*", cors());🔥 Common Mistakes
❌ Forgetting credentials: true
❌ Using * with cookies (not allowed)
❌ Not handling OPTIONS request
❌ Backend URL mismatch
❌ Missing headers in IIS
🧪 Debug Checklist
Check browser Network tab
Verify response headers:
Access-Control-Allow-Origin
Access-Control-Allow-Headers
Confirm frontend URL matches backend config
🏁 Final Thoughts
CORS is not a bug—it’s a security feature. Once you understand how it works, fixing it becomes straightforward.
If you're deploying with IIS + Node.js, always configure both:
Express middleware
IIS headers
Comments