CORS (Cross-Origin Resource Sharing) errors are one of the most frustrating things developers run into when connecting a frontend to Supabase. The bad news? Supabase no longer exposes CORS configuration in the dashboard. The good news? You still have controlâyou just have to approach it differently.
Setting up Cross-Origin Resource Sharing (CORS) in Supabase is key for letting web apps from different origins talk to your Supabase backend. CORS settings decide which domains get to access your resources, which secures your app but also gives the flexibility needed for frontend work. To do this, tweak your Supabase project's API settings to specify allowed origins, methods, and headers. Knowing how to adjust these settings properly is crucial. It ensures your app runs smoothly without hitting CORS issues.
CORS (Cross-Origin Resource Sharing) is a security mechanism built into web browsers. It controls which websites are allowed to make requests to a server from a different domain.
If your frontend is at https://app.mysaas.com and your API is at https://xyz.supabase.co, the browser wonât let them talk to each other unless the API explicitly says, âYes, I trust requests from this origin.â
CORS protects users from malicious websites trying to read sensitive data from another site without permission.
CORS prevents this. The bankâs server must include headers that say âOnly allow mybank.com to access this.â
Your browser blocks the request. Youâll see this:
Access to fetch at 'https://xyz.supabase.co/rest/v1/data'
from origin 'https://your-app.com' has been blocked by CORS policy.
Important: The server still received the requestâyour browser just refused to show you the response.
Authorization)POST, PUT, or DELETEwithCredentials (cookies, auth tokens)When any of these happen, the browser performs a preflight request (an OPTIONS request) to ask the server:
âHey, are you cool with this?â
If the server says noâor doesnât say anythingâyour browser stops the request cold.
To allow cross-origin requests:
Access-Control-Allow-Origin: https://your-frontend.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Authorization, Content-Type
As of 2025, Supabase no longer provides a dashboard setting to configure CORS headers. The previous âAPIâ or âDatabaseâ tabs used for this are gone.
If you're looking for a dropdown or input field to set allowed origins: stop. Itâs not there anymore.
Use Case --> Solution
REST API (PostgREST) --> Supabase sets CORS headers automatically
Custom domains or origin control --> Use a reverse proxy or CDN edge middleware
Edge Functions --> Manually set CORS headers in your response
Testing CORS behavior --> Use curl, fetch(), and browser dev tools.
Supabaseâs REST API (based on PostgREST) adds basic CORS headers by default. You donât control them directly, but they generally work if:
Content-Type, Authorization, etc.)withCredentials) or non-simple requestsâ If you need more fine-grained CORS control (like custom headers or subdomain wildcards), youâll need to use a proxy layer.
If youâre building a production app and want tight control over CORS, consider sitting a proxy in front of Supabase:
export default {
async fetch(request) {
const url = new URL(request.url)
const origin = request.headers.get("Origin")
const proxied = await fetch("https://your-project.supabase.co/rest/v1/your_table", {
method: request.method,
headers: request.headers
})
return new Response(proxied.body, {
status: proxied.status,
headers: {
"Access-Control-Allow-Origin": origin || "*",
"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
"Access-Control-Allow-Headers": "Authorization, Content-Type, apikey",
...Object.fromEntries(proxied.headers),
},
})
},
}
Unlike PostgREST, Supabase Edge Functions require you to handle CORS manually.
Hereâs the correct way to add CORS headers:
// supabase/functions/hello-world/index.ts
if (req.method === "OPTIONS") {
return new Response("ok", {
headers: {
"Access-Control-Allow-Origin": "*",
"Access-Control-Allow-Methods": "GET, POST, OPTIONS",
"Access-Control-Allow-Headers": "authorization, content-type, apikey",
},
})
}
return new Response(JSON.stringify({ message: "Hello world" }), {
headers: {
"Access-Control-Allow-Origin": "*",
"Content-Type": "application/json",
},
})
đ Swap * with your domain in production for security.
curl (simulate browser origin)bash
CopyEdit
curl -H "Origin: https://your-frontend.com" -I https://your-project.supabase.co/rest/v1/your_table
Look for:
arduino
CopyEdit
Access-Control-Allow-Origin: https://your-frontend.com
fetchfetch("https://your-project.supabase.co/rest/v1/your_table", {
method: "GET",
headers: {
apikey: "your-anon-key",
Authorization: "Bearer your-jwt"
}
}).then(console.log).catch(console.error)
Use browser dev tools â Network tab â check Response Headers and Console Errors.
* in production with credentials.Explore our Supabase tutorials directory - an essential resource for learning how to create, deploy and manage robust server-side applications with ease and efficiency.
Nocode tools allow us to develop and deploy your new application 40-60% faster than regular app development methods.
Save time, money, and energy with an optimized hiring process. Access a pool of experts who are sourced, vetted, and matched to meet your precise requirements.
With the Bootstrapped platform, managing projects and developers has never been easier.
.png)
Bootstrapped offers a comprehensive suite of capabilities tailored for startups. Our expertise spans web and mobile app development, utilizing the latest technologies to ensure high performance and scalability. The team excels in creating intuitive user interfaces and seamless user experiences. We employ agile methodologies for flexible and efficient project management, ensuring timely delivery and adaptability to changing requirements. Additionally, Bootstrapped provides continuous support and maintenance, helping startups grow and evolve their digital products. Our services are designed to be affordable and high-quality, making them an ideal partner for new ventures.
Fast Development: Bootstrapped specializes in helping startup founders build web and mobile apps quickly, ensuring a fast go-to-market strategy.
Tailored Solutions: The company offers customized app development, adapting to specific business needs and goals, which ensures your app stands out in the competitive market.
Expert Team: With a team of experienced developers and designers, Bootstrapped ensures high-quality, reliable, and scalable app solutions.
Affordable Pricing: Ideal for startups, Bootstrapped offers cost-effective development services without compromising on quality.
Supportive Partnership: Beyond development, Bootstrapped provides ongoing support and consultation, fostering long-term success for your startup.
Agile Methodology: Utilizing agile development practices, Bootstrapped ensures flexibility, iterative progress, and swift adaptation to changes, enhancing project success.
