I'm getting 403 when it tries to access the endpoint hosted on heroku

This is my website: https://deluxe-fairy-93d7a3.netlify.app

As you can see there are no products displayed. I am hosting the SpringBoot app on heroku and it all works well when I’m accesing the endpoints, but when it tries to access them from heroku I get the 403 error as shown below.

@g1o The errors in the console indicate the problem would be on the Heroku side of things.

Specifically it looks like it’s being blocked by CORS.

1 Like

Thank you for making this clear! Any advice?

I have no idea what you’re doing on the Heroku side of things, but you could just generally look into CORS, why you’re encountering the problem and then either handle it manually or look into using some middleware like cors - npm

1 Like

Thanks you! I’'ll try and come back with the solution.

Using Netlify Rewrites is a simpler solution to avoid CORS.

I tried but with no success. I tried this rewrite: "
/api/* https://api.example.com/:splat 200". Maybe I didn’t do it the right way. Here is my code, can you tell me how to rewrite properly?

I finally found out how to solve the problem. I created this new class in my services folder:

import java.io.IOException;
import javax.servlet.Filter;
import javax.servlet.FilterChain;
import javax.servlet.FilterConfig;
import javax.servlet.ServletException;
import javax.servlet.ServletRequest;
import javax.servlet.ServletResponse;
import javax.servlet.http.HttpServletRequest;
import javax.servlet.http.HttpServletResponse;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.stereotype.Component;

public class SimpleCORSFilter implements Filter {

private final Logger log = LoggerFactory.getLogger(SimpleCORSFilter.class);

public SimpleCORSFilter() {
log.info(“SimpleCORSFilter init”);

public void doFilter(ServletRequest req, ServletResponse res, FilterChain chain) throws IOException, ServletException {

HttpServletRequest request = (HttpServletRequest) req;
HttpServletResponse response = (HttpServletResponse) res;

response.setHeader("Access-Control-Allow-Origin", request.getHeader("Origin"));
response.setHeader("Access-Control-Allow-Credentials", "true");
response.setHeader("Access-Control-Allow-Methods", "POST, GET, OPTIONS, DELETE");
response.setHeader("Access-Control-Max-Age", "3600");
response.setHeader("Access-Control-Allow-Headers", "Content-Type, Accept, X-Requested-With, remember-me");

chain.doFilter(req, res);


public void init(FilterConfig filterConfig) {

public void destroy() {


As simple as that!

Thanks for coming back and letting us know your solution! This will be beneficial for future Forums members who encounter something similar.

1 Like