For example, if a site offers an embeddable service, it may be necessary to relax certain restrictions. Adding a "non standard" header, line 'access-control-allow-origin' will trigger a OPTIONS preflight request, which your server must handle correctly in order for the POST request to even be sent. Unless you're building an API for the general public to use, this is not the behaviour you want, so let's jump right in to configuring the cors middleware so that only your website can make CORS requests to your API: Typically you'll want to enable CORS for all of the routes in your Express application as in the example above, but if you only want to enable CORS for specific routes you can configure the cors middleware like this: The examples above configure CORS for simple GET requests. This happens for almost all of the s3-hosted images. Open a network tab in your console. See, that's not so bad. Instead of making the request from your domain, something else needs to make the request for you. CORS policies won't affect requests from non-XHR sources, such as