This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(243.2, 21%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EK%3C/text%3E%3C/svg%3E)
Hi all,
I have a setup with a React frontend App Service and a FastAPI backend App Service on Azure. My goal is to restrict access to the backend so that only the frontend App Service can reach it. However, I encountered a 403 IP forbidden error when trying this approach.
To work around this, I tried using an API Management (APIM) service as a proxy between the frontend and backend. Despite adding the URLs of both the frontend App Service and APIM in the backend's CORS settings, I keep getting CORS errors when accessing the API from the browser. I also configured CORS settings in both the APIM policies and within the FastAPI code.
Notably, this CORS error only occurs when I call the API from the browser; if I make the API call from the SSH terminal in the frontend App Service, it works without issues.
For simplicity, I removed private endpoint restrictions on the backend and changed it to accept all traffic temporarily. I noticed that if I click on the red "message" text, a new tab opens and successfully shows the response from the backend API.
Does anyone have suggestions on how to resolve this CORS error when calling the API from the browser?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(25.6, 91%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EIO%3C/text%3E%3C/svg%3E)
Hi KT,
Can you confirm if you have enabled a CORS policy on APIM? If not, you can follow the steps here to do so: https://learn.microsoft.com/en-us/azure/api-management/enable-cors-developer-portal?wt.mc_id=studentamb_271760
Thank you for your message.
Yes, I set CORS in the APIM. I also add URLs of both APIM and frontend App service in CORS of the backend App Service. I also added it in the code.
APIM
<policies>
<inbound>
<base />
<set-backend-service id="apim-generated-policy" backend-id="WebApp_backend" />
<cors allow-credentials="true">
<allowed-origins>
<origin>https://frontapp.azurewebsites.net</origin>
</allowed-origins>
<allowed-methods preflight-result-max-age="300">
<method>GET</method>
<method>POST</method>
<method>OPTIONS</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
FastAPI
app.add_middleware(
CORSMiddleware,
allow_origins=["https://frontapp.azurewebsites.net",
"https://myapim.azure-api.net", "*"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(144, 36%, 23%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
Hi @KT ,
Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Hi @KT ,
Following up to see if you have chance to check my previous response and help us with requested information to check and assist you further on this.
Hi @kT,
Thanks for sharing your detailed configuration!
Based on what you've set up, it looks like you've covered most of the things. However, here are a few suggestions that might help resolve the CORS issue when calling the API from the browser:
Remove "*" in allow_origins: Update the allow_origins in FastAPI to only include your frontend and APIM URLs:
app.add_middleware(
CORSMiddleware,
allow_origins=["https://frontapp.azurewebsites.net", "https://myapim.azure-api.net"],
allow_credentials=True,
allow_methods=["*"],
allow_headers=["*"],
)
Verify APIM URL: Ensure https://myapim.azure-api.net is the exact URL your frontend is accessing, with correct protocol and no typos.
Check Preflight Response: Use the browser's developer tools to inspect the OPTIONS preflight request. Confirm that Access-Control-Allow-Origin and other CORS headers are returned correctly.
Explicitly Define Headers in APIM Policy: Instead of using <header>*</header>, explicitly specify needed headers like Authorization and Content-Type in <allowed-headers> and <expose-headers>.
Clear Browser Cache: Test in an incognito window or clear the browser cache to avoid cached CORS settings.
Confirm Backend CORS Settings: Ensure any CORS settings in the backend App Service are consistent with your APIM and Fast API configurations.
Let me know for any further assistance.