Heroku + Netlify gives - CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

malpick · February 5, 2022, 11:50pm

Hi there,

I’m having issues with deploying an application that uses heroku for server/backend (node js (express)) and netlify for client (React).

Seems like I’m running into this error when trying to make use of api calls between heroku and netlify.

Access to XMLHttpRequest at ‘https://avanzbase.herokuapp.com/popular-stock?symbol=DIS’ from origin ‘https://upbeat-northcutt-4650a4.netlify.app’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.

I have looked through a lot of questions regarding this but can’t figure out how to solve it. As I understand you are suppose to have a file - netlify.toml in root directory in client to handle redirects and headers, which I have added like so:

# The following redirect is intended for use with most SPAs that handle
# routing internally.
[[redirects]]
  from = "/*"
  to = "/index.html"
  status = 200

[[headers]]
  # Define which paths this specific [[headers]] block will cover.
  for = "/*"
    [headers.values]
    Access-Control-Allow-Origin = "*"

However, this has not helped. I also understand that sometimes it may be necessary to create a proxy? But if possible I would prefer not having to do this step.

Moving on to what the code looks like at the moment.

This is what the server side looks like at the moment (including “/popular-stock” at the end to give you an idea of how it looks):

const express = require("express");
const app = express();
require("dotenv").config();
const cors = require("cors");
const mysql = require("mysql");
const jwt = require("jsonwebtoken");
const cookieParser = require("cookie-parser");

// port for heroku if needed
const PORT = 3001;

// app objects instantiated on creation of the express server
app.use(
  cors({
    origin: ["https://upbeat-northcutt-4650a4.netlify.app"],
    methods: ["GET", "POST", "DELETE"],
    credentials: true,
    origin: true,
  })
);
app.use(express.json());
app.use(express.urlencoded({ extended: true }));
app.use(cookieParser());

app.get("/popular-stock", async (req, res) => {
  try {
    const response = await axios.get(
      `https://finnhub.io/api/v1/quote?symbol=${req.query.symbol}&token=${process.env.REACT_APP_API__KEY_FINNHUB}`
    );
    res.json(response.data);
  } catch (e) {
    console.log(`Axios request failed: ${e}`);
  }
});

app.listen(process.env.PORT || PORT, () => {
  console.log(`Server running on port ${PORT}`);
});

And for the client side it looks like this:

import axios from "axios";

export const GetPopularStockData = (symbol) => {
  try {
    const response = axios
      .get(`https://avanzbase.herokuapp.com/popular-stock?symbol=${symbol}`, {})
      .catch(function (err) {
        if (err.response) {
          return err.response;
        }
      });
    return response;
  } catch (e) {
    console.log(`Axios request failed: ${e}`);
    return null;
  }
};

Site name: https://upbeat-northcutt-4650a4.netlify.app

coelmay · February 5, 2022, 11:52pm

Hey @malpick

The netlify.toml file needs to exist at the root of the repository, not in the src directory. Can you move it and see if that fixes the issue.

malpick · February 6, 2022, 12:02am

I tried moving it out from src to root and depolyed again but it didn’t seem to help. The same issue still persist.

hrishikesh · February 6, 2022, 3:58pm

The CORS error is being returned by Heroku, not Netlify. So adding headers to Netlify would not help.

You need proxy rewrites:

eltonjorn · May 31, 2023, 12:41pm

This error typically occurs in web development when making cross-origin requests. This error is related to the same-origin policy implemented by web browsers for security reasons. The same-origin policy restricts web pages from making requests to a different domain unless the server explicitly allows it by including the ‘Access-Control-Allow-Origin’ header in the response. To resolve this issue, the server hosting the requested resource needs to include the appropriate ‘Access-Control-Allow-Origin’ header, specifying the domain or origins allowed to access the resource. This can be done by configuring the server’s response headers or by using server-side middleware or frameworks that handle cross-origin requests.

JSON with Padding is just a way to circumvent same-origin policy, when CORS is not an option. This is risky and a bad practice. Avoid using this.

If you want to bypass that restriction when fetching the contents with fetch API or XMLHttpRequest in javascript, you can use a proxy server so that it sets the header Access-Control-Allow-Origin to *.

If you need to enable CORS on the server in case of localhost, you need to have the following on request header.

Access-Control-Allow-Origin: http://localhost:9999

Topic		Replies	Views
CORs and Netlify - API requests not working on deployment Support deployment	10	4046	December 10, 2021
Netlify CORS policy problem Support authentication , create-react-app , headers	3	2312	May 20, 2022
Netlify Web App x Netlify Express App gives - CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource Support netlify-newbie	12	688	April 25, 2023
Access-Control-Allow-Origin Policy Support authentication , cors	74	61789	March 5, 2024
Blocked by CORS. React SPA on Netlify. Rails API on Heroku Support redirects	15	10026	February 11, 2023

Heroku + Netlify gives - CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource

Related topics