Some users getting CORS error "no access control allow origin header" origin not allowed

Question

Some users getting CORS error "no access control allow origin header" origin not allowed

Angelo Spaziani 0

We have a few users at one location that are unable to log into our app that utilizes an azure API management gateway. They get a response that the origin is not allowed even though its clearly allowed in the cors policy for all apis. I am unable to find any help or logging within the resource. Please advise how i can better troubleshoot this issue or find a solution.

Pravallika KV 3,955 Reputation points Microsoft External Staff Moderator

2025-12-17T22:56:09.07+00:00
Hi @Angelo Spaziani ,

Thanks for reaching out to Microsoft Q&A.

This is often related to how CORS policies are configured and evaluated. Check below steps to troubleshoot and potentially resolve the issue:

Double-check the CORS policy settings on your Azure API Management to ensure it is configured correctly.

Remember, if you have specified both App Service CORS and your own CORS code, the App Service CORS takes precedence, which can lead to unexpected blocks. Ensure that your CORS policy is correctly set up for all APIs in your API Management instance.

Steps to check:

Go to the Azure Portal.

Navigate to API Management and select your APIM instance.

Go to APIs and select the API that’s being accessed.

In the Design section, verify that the CORS policy is applied correctly in the inbound policy. Example of a generic CORS policy in the API Management inbound policy:

<inbound> <cors allowed-origins="*" allowed-methods="GET, POST, PUT, DELETE, OPTIONS" allowed-headers="*" /> </inbound>

Ensure the allowed-origins includes * or the specific origins you're testing with. The other parameters allowed-methods, allowed-headers, etc., should also match your requirements.

Make sure the specific origins that are trying to access the API are listed in your CORS policy.

Use browser developer tools (F12) to inspect network requests and check for any CORS-related error messages in the console. This can help you validate whether the Access-Control-Allow-Origin header is being set correctly.

Ensure that your API responds correctly to OPTIONS preflight requests, as CORS checks this on initial requests from different origins.

If you are using subscription key authentication, be aware that configuring the CORS policy at the product scope can lead to issues if the subscription key is sent via headers. To avoid this, consider adding the subscription key as a query parameter instead.

If you're using wildcard (*) for allowed origins, note that adding individual origins can override this, so review your rules for any potential conflicts.
Angelo Spaziani 0 Reputation points

2025-12-18T02:42:37.4166667+00:00

this has never happened with any of our existing clients and i'm unable to replicate it. nothing has changed that would have caused this. are there logs that i can access to get more diagnostic info?

1 answer

Your answer

Angelo Spaziani 0 Reputation points

2025-12-18T02:42:37.4166667+00:00

this has never happened with any of our existing clients and i'm unable to replicate it. nothing has changed that would have caused this. are there logs that i can access to get more diagnostic info?

Answer 1

To troubleshoot the CORS error "no access control allow origin header" that some users are experiencing, consider the following steps:

Check CORS Configuration: Ensure that the CORS policy is correctly configured in your Azure API Management gateway. Verify that the allowed origins include the specific origin from which the requests are being made. Even if it seems allowed, double-check for any typos or misconfigurations.
Inspect Network Traffic: Use tools like Fiddler or the browser's developer tools to inspect the network requests. Look for the Origin header in the request and the Access-Control-Allow-Origin header in the response. This will help you confirm whether the CORS headers are being sent correctly.
Review Azure Front Door Settings: If you're using Azure Front Door, ensure that it is configured to handle CORS properly. Azure Front Door caches the Access-Control-Allow-Origin header, so if the first request from a different origin is not allowed, subsequent requests might also fail. You may need to purge the cache or adjust the rules to handle multiple origins correctly.
Check for Preflight Requests: Ensure that your server is correctly handling preflight requests (HTTP OPTIONS) that browsers send before actual requests. If your API does not respond appropriately to these preflight requests, it can lead to CORS errors.
Logging and Monitoring: Implement logging within your API to capture requests and responses. This can help identify if the requests are reaching your API and how they are being processed.
Test with Different Browsers: Sometimes, browser-specific issues can cause CORS problems. Test the application in different browsers to see if the issue persists across all of them.

By following these steps, you should be able to identify the root cause of the CORS issue and resolve it accordingly.

Share via

Some users getting CORS error "no access control allow origin header" origin not allowed

1 answer

Your answer