Requests Blocked by CORS

If you are integrating the Countly Web SDK and requests are blocked due to CORS, follow the steps below to identify and resolve the issue. Principles shared here can also be extended to other SDKs depending on the platform.

1. Verify Requests Are Reaching the Countly Server

Before adjusting CORS settings, confirm that requests actually reach the Countly API and are not blocked earlier in the network path, such as by a WAF, reverse proxy, CDN, or browser extension.

Recommended checks:

  • Browser DevTools
    • Open Network tab
    • Look for requests to the Countly API endpoint (for example /i or /o)
    • Check:
      • Request status code
      • Whether the request appears at all
  • Server Logs
    • Check Countly NGINX or API logs to confirm whether the request arrives at the server
    • If no request is logged, the block is happening before Countly
  • WAF / Proxy / CDN
    • Verify that:
      • Preflight (OPTIONS) requests are allowed
      • No rules are blocking cross-origin JavaScript requests
    • Common culprits include Cloudflare, AWS WAF, corporate proxies, or strict firewall rules
  • Direct Test
    • Temporarily test from a simple HTML page hosted on the same domain
    • Or use curl / fetch with a custom Origin header to see if the server responds

If the request never reaches Countly, CORS configuration inside Countly will not help until the upstream block is resolved.

2. Check Application Access Control Origin Settings

If requests do reach Countly:

  1. Go to
    Management → Applications → [Application] → App Settings → Access Control Origin
  2. Verify that the exact origin is listed, including:
    • Protocol (http vs https)
    • Subdomain (www.example.com vs example.com)
  3. Save changes and retry the request

After this, the API response should include:

Access-Control-Allow-Origin: https://your-domain.com

If a required domain is missing, the request will fail even if the Web SDK is configured correctly.

3. Additional Things to Check

  • Correct App Key
    • Make sure the Web SDK is using the app key that matches the application where the origin is configured
  • Browser Cache
    • CORS preflight responses may be cached
    • Try:
      • Hard refresh
      • Incognito window
      • Clearing browser cache
  • Multiple Environments
    • Ensure all environments are covered:
      • Production
      • Staging
      • Preview / QA domains
  • Mixed Content
    • https websites sending data to an http Countly server may fail in modern browsers
    • Ensure protocol compatibility
Was this page helpful?
Reach out to us for any other questions.
Helpful?

Looking for more Help?