I have a Node.js/Express backend deployed on Render at and a frontend. My backend uses the cors middleware and also manually sets CORS headers for allowed origins, including my production frontend domains, the default render domain and the custom domain that I have through GoDaddy.
Despite this, when my frontend tries to call the API, I get the following error in the browser:
Access to fetch at ‘/api/auth/subscribe’ from origin ‘’ has been blocked by CORS policy: Response to preflight request doesn’t pass access control check: No ‘Access-Control-Allow-Origin’ header is present on the requested resource.
The ALLOWED_ORIGINS environment variable includes my frontend domain.
The server sets Access-Control-Allow-Origin dynamically based on the request origin.
The error only occurs in production (works locally).
Is there a Render-specific configuration or networking issue that could be blocking CORS headers from being sent, or is there something else I should check in my deployment settings?
// CORS policy for local development
const envOrigins = process.env.ALLOWED_ORIGINS;
const allowedOrigins = envOrigins
? envOrigins.split(',').map(o => o.trim())
: [
'http://localhost:3000',
'http://127.0.0.1:3000',
'http://localhost:5173',
'http://127.0.0.1:5173'
];
console.log("Allowed origins:", allowedOrigins);
app.use(cors({
origin: allowedOrigins,
credentials: true,
methods: "GET,HEAD,PUT,PATCH,POST,DELETE",
}));
// Set Access-Control-Allow-Origin header for all responses and handle preflight
app.use((req, res, next) => {
const origin = req.headers.origin;
if (allowedOrigins.includes(origin)) {
res.setHeader('Access-Control-Allow-Origin', origin);
res.setHeader('Access-Control-Allow-Credentials', 'true');
res.setHeader('Access-Control-Allow-Methods', 'GET,HEAD,PUT,PATCH,POST,DELETE');
res.setHeader('Access-Control-Allow-Headers', 'Origin, X-Requested-With, Content-Type, Accept, Authorization');
}
if (req.method === 'OPTIONS') {
res.sendStatus(204);
} else {
next();
}
});