Common CORS errors when building an API

Kacper Bąk
3 min readFeb 11, 2023


Photo by Matt Artz on Unsplash

When I was building an API recently, I encountered some frustrating errors. I was getting CORS Failed errors and NS_ERROR_DOM_BAD_URI errors in my network traffic. I was stumped, but after doing some research, I was able to figure out how to fix these errors. In this article, I’m going to share what I learned in order to help others who may run into the same issues.

The first error I encountered was CORS Failed. CORS stands for Cross-Origin Resource Sharing and is an important part of web security. It prevents certain types of requests from being made from one domain to another. In my case, I was running into this issue because I was making an API call from one domain to another.

The solution to this problem was to add an Access-Control-Allow-Origin header to the response from the API. This header tells the browser that the request is allowed and should be allowed to proceed. This is a simple fix, but it can be a bit tricky to figure out if you’re not familiar with CORS.

The Access-Control-Allow-Origin header should be added on the backend. It is a response header, so it needs to be set by the server in order for it to be sent in the response.

The second error I encountered was NS_ERROR_DOM_BAD_URI. This is a more generic error that can be caused by a variety of things. In my case, I was making an API call with an invalid URL. I had an extra slash at the end of the URL and that was causing the error.

The solution to this problem was to double-check the URL I was using and make sure it was valid. Once I corrected the URL, the error went away.

The CORS request did not succeed error is caused by the same origin policy, which is a security measure that prevents certain requests from being made from one domain to another. To resolve this issue, the Access-Control-Allow-Origin header must be added to the response from the endpoint to which the request is being made. Additionally, the URL should be properly formatted with no extra slashes. Once these steps have been taken, the CORS request should complete successfully and the NS_ERROR_DOM_BAD_URI error should no longer occur.

When opening the page, a query to an external domain is generated, then the console shows me net::ERR_CERT_AUTHORITY_INVALID

This error occurs when the browser does not recognize the digital certificate presented by the external domain. This is usually caused by an expired or invalid certificate. You should contact the owner of the external domain and ask them to provide a valid certificate. If the owner is unable to provide a valid certificate, you can try to bypass the error by configuring your browser to ignore the certificate. However, this is not recommended as it could potentially leave your system vulnerable to malicious attacks.

Anyways I learned that there is no one-size-fits-all answer, the cause of the error could be related to a variety of issues.

However, you should check also the configuration of your server, especially if it allows the specified origin or wildcard “*”.

Ensure that the request is being sent with the correct headers, such as Origin, X-Requested-With, Content-Type, etc.

Make sure that the Allow-Credentials flag is set to true in the code.

Check the server logs for any other errors or warnings related to the request.

In conclusion, CORS Failed and NS_ERROR_DOM_BAD_URI errors can be very frustrating when building an API. The solutions to these errors are relatively simple, but it takes some time to figure out what is causing the error. Hopefully, this article has helped clear up any confusion around these errors and has helped you to find the right solution.

It’s important to note that the solutions to these errors may vary depending on the browser you’re using. For instance, the CORS error may be handled differently in Firefox than in Chrome. Additionally, the error may differ depending on whether you’re using http:// or https://. It’s important to be aware of these differences and make sure you’re troubleshooting for the right browser and protocol.