JavaScript Fetch: Cross-Origin Requests (CORS)

Cross-origin requests are an essential part of modern web development, enabling the interaction between resources from different origins. In this article, we will delve deep into handling cross-origin requests using the Fetch API in JavaScript. By the end, you will have a comprehensive understanding of cross-origin requests, how to configure them, and best practices for using the Fetch API to manage them effectively.

Understanding Cross-Origin Requests

Cross-origin requests occur when a web application requests resources from a different origin (domain, protocol, or port) than its own. These requests are crucial for accessing APIs, retrieving data from external sources, and integrating third-party services.

The Importance of CORS

Cross-Origin Resource Sharing (CORS) is a security feature implemented by browsers to control how web pages can request resources from different origins. CORS policies are enforced by the server through specific HTTP headers.

Using Fetch for Cross-Origin Requests

The Fetch API provides a modern, flexible way to make HTTP requests in JavaScript. It supports promises, making it easier to work with asynchronous code.

Basic Fetch Usage

Let's start with a simple example of using Fetch to make a GET request. You can learn a lot about it in our previous page, Fetch API.

async function fetchData(url) { try { const response = await fetch(url); if (!response.ok) { throw new Error(`HTTP error! Status: ${response.status}`); } const data = await response.json(); console.log(data.title); } catch (error) { console.error('Fetch error:', error); } } fetchData('');

Handling CORS with Fetch

When making cross-origin requests, the server must include specific headers to permit the request. The essential headers include:

  • Access-Control-Allow-Origin: Specifies which origins are allowed to access the resource.
  • Access-Control-Allow-Methods: Lists the HTTP methods allowed for cross-origin requests.
  • Access-Control-Allow-Headers: Lists the headers that can be included in the request.

Making Cross-Origin Requests

To make a cross-origin request with Fetch, you can set the mode option to cors. It is the default mode for cross-origin requests. It allows the request to be made if the server explicitly permits it using CORS headers. Here is an example:

In your server, avoid using a wildcard (*) for Access-Control-Allow-Origin in production for security reasons.
async function fetchCrossOriginData(url) { try { const response = await fetch(url, { mode: 'cors' }); if (!response.ok) { throw new Error(`HTTP error! Status: ${response.status}`); } const data = await response.json(); console.log(data.title); } catch (error) { console.error('Fetch error:', error); } } fetchCrossOriginData('');

Sending Credentials with Fetch

If your cross-origin request requires credentials (such as cookies or HTTP authentication), you must include the credentials option:

async function fetchWithCredentials(url) {
  try {
    const response = await fetch(url, {
      mode: 'cors',
      credentials: 'include'
    if (!response.ok) {
      throw new Error(`HTTP error! Status: ${response.status}`);
    const data = await response.json();
  } catch (error) {
    console.error('Fetch error:', error);


Handling Preflight Requests

When making certain types of cross-origin requests, the browser first sends an OPTIONS request (preflight request) to the server to determine whether the actual request is safe to send. This happens for requests that:

  • Use methods other than GET, HEAD, or POST.
  • Include custom headers.
  • Use the Content-Type header with values other than application/x-www-form-urlencoded, multipart/form-data, or text/plain.

Best Practices for Cross-Origin Fetch Requests

Secure Your API

Ensure your API is secure by validating and sanitizing all incoming data. Use HTTPS to encrypt data in transit and implement proper authentication and authorization mechanisms.

Use Appropriate CORS Headers

Configure your server to include the necessary CORS headers. Avoid using a wildcard (*) for Access-Control-Allow-Origin in production. Instead, specify the exact origins that are allowed.

Handle Errors Gracefully

Implement robust error handling to provide meaningful feedback to users and log errors for debugging purposes.

Optimize Performance

Minimize the number of cross-origin requests by combining resources where possible and using caching to reduce load times.


Mastering cross-origin requests with the Fetch API is vital for modern web development. By understanding how to configure and handle these requests, you can build more secure, efficient, and reliable web applications. Follow the best practices outlined in this article to ensure your cross-origin requests are handled correctly and securely.

Quiz Time: Test Your Skills!

Ready to challenge what you've learned? Dive into our interactive quizzes for a deeper understanding and a fun way to reinforce your knowledge.

Do you find this helpful?