Supabase

🔐 How to Handle CORS in Supabase (2025 Update)

CORS (Cross-Origin Resource Sharing) errors are one of the most frustrating things developers run into when connecting a frontend to Supabase. The bad news? Supabase no longer exposes CORS configuration in the dashboard. The good news? You still have control—you just have to approach it differently.

Developer profile skeleton
a developer thinking

Overview

Setting up Cross-Origin Resource Sharing (CORS) in Supabase is key for letting web apps from different origins talk to your Supabase backend. CORS settings decide which domains get to access your resources, which secures your app but also gives the flexibility needed for frontend work. To do this, tweak your Supabase project's API settings to specify allowed origins, methods, and headers. Knowing how to adjust these settings properly is crucial. It ensures your app runs smoothly without hitting CORS issues.

Get a Free No-Code Consultation
Meet with Will, CEO at Bootstrapped to get a Free No-Code Consultation
Book a Call
Will Hawkins
CEO at Bootstrapped

🔐 How to Handle CORS in Supabase (2025 Update)

🔍 What Is CORS?

CORS (Cross-Origin Resource Sharing) is a security mechanism built into web browsers. It controls which websites are allowed to make requests to a server from a different domain.

In plain terms:

If your frontend is at https://app.mysaas.com and your API is at https://xyz.supabase.co, the browser won’t let them talk to each other unless the API explicitly says, “Yes, I trust requests from this origin.”

🧠 Why Does CORS Exist?

CORS protects users from malicious websites trying to read sensitive data from another site without permission.

Example attack (without CORS):

  1. You log into your bank.
  2. You visit evil-site.com.
  3. That site silently makes a request to your bank and reads your account info.

CORS prevents this. The bank’s server must include headers that say “Only allow mybank.com to access this.”

đŸ§Ș What Happens When CORS Fails?

Your browser blocks the request. You’ll see this:

Access to fetch at 'https://xyz.supabase.co/rest/v1/data'
from origin 'https://your-app.com' has been blocked by CORS policy.

Important: The server still received the request—your browser just refused to show you the response.

🛠 What Triggers CORS?

  • Calling an API on a different domain
  • Sending custom headers (like Authorization)
  • Using POST, PUT, or DELETE
  • Sending withCredentials (cookies, auth tokens)

When any of these happen, the browser performs a preflight request (an OPTIONS request) to ask the server:

“Hey, are you cool with this?”

If the server says no—or doesn’t say anything—your browser stops the request cold.

✅ What You Need to Do

To allow cross-origin requests:

  • The server (e.g., Supabase, Edge Function, proxy) must return headers like:

Access-Control-Allow-Origin: https://your-frontend.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Authorization, Content-Type

⚠ Quick Reality Check

As of 2025, Supabase no longer provides a dashboard setting to configure CORS headers. The previous “API” or “Database” tabs used for this are gone.

If you're looking for a dropdown or input field to set allowed origins: stop. It’s not there anymore.

✅ What You Can Still Do

Use Case --> Solution

REST API (PostgREST) --> Supabase sets CORS headers automatically

Custom domains or origin control --> Use a reverse proxy or CDN edge middleware

Edge Functions --> Manually set CORS headers in your response

Testing CORS behavior --> Use curl, fetch(), and browser dev tools.

🔁 Supabase REST API: What Happens Automatically?

Supabase’s REST API (based on PostgREST) adds basic CORS headers by default. You don’t control them directly, but they generally work if:

  • Your frontend domain is serving over HTTPS
  • You send requests with standard headers (Content-Type, Authorization, etc.)
  • You don’t need to support credentials (withCredentials) or non-simple requests

❗ If you need more fine-grained CORS control (like custom headers or subdomain wildcards), you’ll need to use a proxy layer.

🧠 When to Use Middleware or a Reverse Proxy

If you’re building a production app and want tight control over CORS, consider sitting a proxy in front of Supabase:

🔧 Good options:

  • Cloudflare Workers
  • Vercel Edge Middleware
  • AWS CloudFront
  • Custom Express or Fastify server

Example: Cloudflare Worker CORS Proxy

export default {
 async fetch(request) {
   const url = new URL(request.url)
   const origin = request.headers.get("Origin")

   const proxied = await fetch("https://your-project.supabase.co/rest/v1/your_table", {
     method: request.method,
     headers: request.headers
   })

   return new Response(proxied.body, {
     status: proxied.status,
     headers: {
       "Access-Control-Allow-Origin": origin || "*",
       "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
       "Access-Control-Allow-Headers": "Authorization, Content-Type, apikey",
       ...Object.fromEntries(proxied.headers),
     },
   })
 },
}

⚙ Handling CORS in Supabase Edge Functions

Unlike PostgREST, Supabase Edge Functions require you to handle CORS manually.

Here’s the correct way to add CORS headers:

// supabase/functions/hello-world/index.ts
if (req.method === "OPTIONS") {
 return new Response("ok", {
   headers: {
     "Access-Control-Allow-Origin": "*",
     "Access-Control-Allow-Methods": "GET, POST, OPTIONS",
     "Access-Control-Allow-Headers": "authorization, content-type, apikey",
   },
 })
}

return new Response(JSON.stringify({ message: "Hello world" }), {
 headers: {
   "Access-Control-Allow-Origin": "*",
   "Content-Type": "application/json",
 },
})

🔒 Swap * with your domain in production for security.

đŸ§Ș How to Test Your CORS Setup

✅ Option 1: curl (simulate browser origin)

bash

CopyEdit

curl -H "Origin: https://your-frontend.com" -I https://your-project.supabase.co/rest/v1/your_table

Look for:

arduino

CopyEdit

Access-Control-Allow-Origin: https://your-frontend.com

✅ Option 2: Browser Console fetch

fetch("https://your-project.supabase.co/rest/v1/your_table", {
 method: "GET",
 headers: {
   apikey: "your-anon-key",
   Authorization: "Bearer your-jwt"
 }
}).then(console.log).catch(console.error)

Use browser dev tools → Network tab → check Response Headers and Console Errors.

🧭 Final Tips

  • Don’t rely on old docs—CORS in Supabase is now decentralized.
  • Proxy + middleware = full control.
  • Edge Functions = your job to handle CORS.
  • Never allow * in production with credentials.

‍

Explore more Supabase tutorials

Complete Guide to Supabase: Tutorials, Tips, and Best Practices

Explore our Supabase tutorials directory - an essential resource for learning how to create, deploy and manage robust server-side applications with ease and efficiency.

Why are companies choosing Bootstrapped?

40-60%

Faster with no-code

Nocode tools allow us to develop and deploy your new application 40-60% faster than regular app development methods.

90 days

From idea to MVP

Save time, money, and energy with an optimized hiring process. Access a pool of experts who are sourced, vetted, and matched to meet your precise requirements.

1 283 apps

built by our developers

With the Bootstrapped platform, managing projects and developers has never been easier.

hero graphic

Our capabilities

Bootstrapped offers a comprehensive suite of capabilities tailored for startups. Our expertise spans web and mobile app development, utilizing the latest technologies to ensure high performance and scalability. The team excels in creating intuitive user interfaces and seamless user experiences. We employ agile methodologies for flexible and efficient project management, ensuring timely delivery and adaptability to changing requirements. Additionally, Bootstrapped provides continuous support and maintenance, helping startups grow and evolve their digital products. Our services are designed to be affordable and high-quality, making them an ideal partner for new ventures.

Engineered for you

1

Fast Development: Bootstrapped specializes in helping startup founders build web and mobile apps quickly, ensuring a fast go-to-market strategy.

2

Tailored Solutions: The company offers customized app development, adapting to specific business needs and goals, which ensures your app stands out in the competitive market.

3

Expert Team: With a team of experienced developers and designers, Bootstrapped ensures high-quality, reliable, and scalable app solutions.

4

Affordable Pricing: Ideal for startups, Bootstrapped offers cost-effective development services without compromising on quality.

5

Supportive Partnership: Beyond development, Bootstrapped provides ongoing support and consultation, fostering long-term success for your startup.

6

Agile Methodology: Utilizing agile development practices, Bootstrapped ensures flexibility, iterative progress, and swift adaptation to changes, enhancing project success.

Yes, if you can dream it, we can build it.