403 forbiden error comming i add cors url corectly help me

Request URL:
https://tour-server-two.vercel.app/api/v1/get-events
Request Method:
GET
Status Code:
403 Forbidden
Referrer Policy:
strict-origin-when-cross-origin
cache-control:
private, no-store, max-age=0
content-type:
text/html; charset=utf-8
date:
Mon, 17 Feb 2025 21:20:36 GMT
server:
Vercel
x-vercel-challenge-token:
2.1739827236.60.MmQ4OTk3ZDc4NGM0ZjdiZDRhMTI0ODMzMmM3YWRhNTk7M2Q3MWE5MDk7NjFmMDJkNDBmZWYxNjZhZWUxYzdjZDhjMjNkMGMwMWJhM2I5N2U0NzszO4IciuHGZbccdhjP9CHD//GbirG0GsWJXXzvDE644ZAdE0nkI81I0lcw27kBK5x93HGudEcoo4fBwg==.10caaf761298e5dfefded0b5df9cc49d
x-vercel-mitigated:
challenge
:authority:
tour-server-two.vercel.app
:method:
GET
:path:
/api/v1/get-events
:scheme:
https
accept:
*/*
accept-encoding:
gzip, deflate, br, zstd
accept-language:
en-US,en;q=0.9
cookie:
_vcrcs=1.1739825478.3600.NmE1NmZhZjM0ZTcxNmMzOTg3NjcyZDZmZmJhYjJiNGE=.2c3810b2f136e9a4806aff79df58dd0c
origin:
https://tour-client-teal.vercel.app
priority:
u=1, i
referer:
https://tour-client-teal.vercel.app/
sec-fetch-dest:
empty
sec-fetch-mode:
cors
sec-fetch-site:
cross-site
user-agent:
Mozilla/5.0 (iPhone; CPU iPhone OS 16_6 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Mobile/15E148 Safari/604.1 Edg/131.0.0.0

Hello, could you tell us what you are trying to perform and the error code? To implement CORS, you can refer to How can I enable CORS on Vercel?

2 Likes

You may also find the Different ways to handle CORS on Vercel post helpful.

1 Like

bro still showing this error previous week this web page work these couple day come this issue

Access to fetch at ‘https://tour-server-two.vercel.app/api/v1/get-events’ from origin ‘https://tour-client-teal.vercel.app’ has been blocked by CORS policy: No ‘Access-Control-Allow-Origin’ header is present on the requested resource. If an opaque response serves your needs, set the request’s mode to ‘no-cors’ to fetch the resource with CORS disabled.

Hello,

You need to ensure you are trying to run the API from same origin. It looks like https://tour-server-two.vercel.app/api/v1/get-events from origin https://tour-client-teal.vercel.app which is has missing CORS header

net::ERR_FAILED 403 (Forbidden) this type error coming

import express, { Request, Response, NextFunction } from "express";
import cookieParser from "cookie-parser";
import dotenv from "dotenv";
import { ErrorMiddleware } from "./middleware/error";
import userRouter from "./routes/user.route";
import { v2 as cloudinary } from "cloudinary";
import eventRouter from "./routes/event.route";
import orderRouter from "./routes/order.route";
import NotificationRouter from "./routes/notification.route";
import analyticsRouter from "./routes/analytics.route";
import layoutRouter from "./routes/layout.route";
import destinationRouter from "./routes/destination.route";
import { rateLimit } from "express-rate-limit";
const cors = require('cors');

// Initialize environment variables
dotenv.config();

// Verify required environment variables
export const app = express();

// CORS middleware
app.use(cors({
  origin: [
    "http://localhost:3000",  // Local development frontend
    "https://tour-client-teal.vercel.app"  // Add the production frontend URL
  ], 
  credentials: true,  // Allow credentials (cookies)
}));

// Cloudinary Configuration
cloudinary.config({
  cloud_name: process.env.CLOUD_NAME,
  api_key: process.env.CLOUD_API_KEY,
  api_secret: process.env.CLOUD_SECRET_KEY,
});

// Middleware to parse JSON payloads with larger size and handle request timeout
app.use((req, res, next) => {
  // Set timeout to 2 minutes (120,000 ms)
  res.setTimeout(120000, () => {
    res.status(408).json({
      success: false,
      message: 'Request timed out',
    });
  });
  next();
});

// Middlewares
app.use(express.urlencoded({ extended: true }));
app.use(express.json({ limit: '100mb' })); // Adjusted payload size limit
app.use(cookieParser()); // Parse cookies

// API request limit - Ensure this is applied after CORS
const limiter = rateLimit({
  windowMs: 15 * 60 * 1000, // 15 minutes
  max: 500, // Increased from 100 to 500
  standardHeaders: "draft-7",
  legacyHeaders: false,
});

app.use(limiter);  // Apply rate limiter middleware here

// Routes
app.use("/api/v1", userRouter);
app.use("/api/v1", eventRouter);
app.use("/api/v1", orderRouter);
app.use("/api/v1", NotificationRouter);
app.use("/api/v1", analyticsRouter);
app.use("/api/v1", layoutRouter);
app.use("/api/v1", destinationRouter);

// Testing API
app.get("/test", (req: Request, res: Response) => {
  res.status(200).json({
    success: true,
    message: "API is Working",
  });
});

// Unknown Route Handler
app.all("*", (req: Request, res: Response, next: NextFunction) => {
  const error = new Error(`Route ${req.originalUrl} not found`) as any;
  error.statusCode = 404;
  next(error);
});

// Error Middleware (must come after routes and unknown route handler)
app.use(ErrorMiddleware);

app.use((req, res, next) => {
  res.setHeader("Connection", "keep-alive");
  next();
});

Hi @anujamanthrirathne, sorry that you are still facing the issue. Have you tried Enabling CORS preflight?