![How CQRS works]()
I build the API.
I tested it in Postman.
Everything works like magic — 200 OK, perfect JSON, no issues.
I feel like a rockstar. 🎸
Then the frontend team calls me…
Hey, the API’s not working.
Wait, what?! 😳
I check
- ✔ Headers — correct
- ✔ Body — looks fine
- ✔ Auth — token’s valid
Still, something’s broken.
And that’s when reality hits:
- Postman doesn’t care about CORS
- Frontend sends JSON just a bit differently
- Maybe a missing
Content-Type
- Or some mysterious middleware messing with things
💡 Lesson learned (again)
If it works in Postman, that’s only half the story.
Real test begins when the frontend hits your API.
How CORS Works?
When your browser tries to call an API on another domain (or even a different port), the browser wants to be sure it is safe.
So, before sending the real request, the browser asks the server:
Is it okay if I send this request?
This is called a CORS check. The browser sends a small request first, usually using the OPTIONS method.
If the server replies with the correct CORS headers (like Access-Control-Allow-Origin), the browser allows the real request to happen.
But if the server does not reply with the right headers, the browser blocks the request. Your code does not even run.
That’s why it works in Postman (Postman doesn’t check for CORS) but fails in the browser.
Important point
CORS is not a bug in your code. It is the browser’s way of protecting your application from unsafe requests.