High severity HTTP 403 beginner · Fix: 2-5 min

CORSConfigurationError

aiohttp.web_exceptions.HTTPForbidden: CORS policy error

What this error means
The AI application's backend server is misconfigured for CORS, blocking frontend requests from allowed origins and causing HTTP 403 errors.

Stack trace

traceback 
aiohttp.web_exceptions.HTTPForbidden: CORS policy error: Origin 'http://localhost:3000' is not allowed by Access-Control-Allow-Origin.
QUICK FIX
Add and configure CORS middleware to allow your frontend origin explicitly in the backend server.

Why it happens

CORS (Cross-Origin Resource Sharing) restricts web pages from making requests to a different domain than the one that served the web page. If the backend server does not explicitly allow the frontend's origin in its CORS policy, browsers block the request, causing this error. This often happens when the server's CORS middleware is missing, misconfigured, or the allowed origins list is incomplete.

Detection

Monitor browser console logs for CORS errors and backend server logs for HTTP 403 responses related to CORS headers. Use automated tests to verify CORS headers on API responses.

Causes & fixes

1

Backend server lacks CORS middleware or configuration

✓ Fix

Add and configure CORS middleware (e.g., flask-cors, aiohttp_cors, or FastAPI's CORSMiddleware) to explicitly allow frontend origins.

2

Allowed origins list does not include the frontend domain or localhost during development

✓ Fix

Update the CORS configuration to include all necessary frontend origins, including localhost and deployed domains.

3

CORS headers are set incorrectly or overridden by other middleware

✓ Fix

Ensure CORS headers are set last in the middleware chain and not overwritten by other response handlers.

4

Frontend requests include credentials but server CORS policy does not allow credentials

✓ Fix

Set 'Access-Control-Allow-Credentials' to true on the server and ensure allowed origins are not wildcard '*' when credentials are used.

Code: broken vs fixed

Broken - triggers the error
python
from fastapi import FastAPI

app = FastAPI()

@app.get('/api/data')
def get_data():
    return {'message': 'Hello from AI backend'}

# This will cause CORS errors if frontend is on a different origin
Fixed - works correctly
python
import os
from fastapi import FastAPI
from fastapi.middleware.cors import CORSMiddleware

app = FastAPI()

origins = [
    'http://localhost:3000',  # Add your frontend origin here
    'https://your-production-frontend.com'
]

app.add_middleware(
    CORSMiddleware,
    allow_origins=origins,
    allow_credentials=True,
    allow_methods=['*'],
    allow_headers=['*'],
)

@app.get('/api/data')
def get_data():
    return {'message': 'Hello from AI backend'}

# Added CORSMiddleware with allowed origins to fix CORS errors
Added FastAPI's CORSMiddleware with explicit allowed origins and credentials support to enable cross-origin requests from the frontend.

Workaround

Temporarily disable CORS enforcement in the browser using extensions or flags during development, but fix server CORS configuration before production deployment.

Prevention

Implement strict CORS policies on the backend with explicit allowed origins and credentials settings, and include CORS tests in your CI pipeline to catch misconfigurations early.

Python 3.9+ · fastapi >=0.70.0 · tested on 0.95.x
Verified 2026-04
Verify ↗

Related errors

HTTP 403 Forbidden Error in API Requests OpenAI RateLimitError 429

Related guides

'' how to configure cors in fastapi guide '' understanding cors errors in web apps concept

Community Notes

No notes yetBe the first to share a version-specific fix or tip.