ERPNext Foundation ERPNext Cloud User Manual Blog Discuss Frappé* Donate

Access-Control-Allow-Origin Error for jquery $.ajax call



First try simple request to /api/method/version. or authenticated request to /api/method/ping

If simple requests work, there must be some other error.


I have tried your suggestion

and got an output of

Object { message: "9.2.22" }

but when i try the login request and used the same code above i got an Cross-Origin Request Blocked.

hmmm :thinking:


so i tried to remove a line of code in my ajax request.

contentType: 'application/json; charset=utf-8',

and it works! :grinning:

Thanks for your help @revant_one! :grin:


Running on production server

sudo nginx -t -c /etc/nginx/conf.d/frappe-bench.conf


nginx: [emerg] "upstream" directive is not allowed here in /etc/nginx/conf.d/frappe-bench.conf:1
nginx: configuration file /etc/nginx/conf.d/frappe-bench.conf test failed

Before even updating for cors.

By any change someone knows what is goiing on ?


you need to run nginx -t -c on /etc/nginx/nginx.conf

bench creates its own conf file that gets included in nginx.conf


Hi @revant_one

  • Is it /home/frappe/frappe-bench/config/nginx.conf or /etc/nginx/nginx.conf the one I am suppose to modify?



I don’t know if this is fixed or not but you need to include headers in ajax call.

This is my AngularJS code:

service.getUsers = function (formData) {
            return $http({
                method: 'POST',
                url: urlBase + 'ec_site_survey.public.submit',
                headers: {
                    'Content-Type': 'application/json',
                    'X-Frappe-CSRF-Token': '{{ frappe.session.csrf_token }}'
                data: {
                    formData: formData

It worked for me.


-Did you have to make changes to the nginx.conf for your code to work, @aldoblack ?


No, I did not have to.

Just a question. Are you trying to call the api from another domain, or form the same?

If it from the same, use the one that I provided.


It is from another domain, that is why I have the CORS problem


modify /home/frappe/frappe-bench/config/nginx.conf


Good Day

Maybe this not same issue, but i need help in correct direction to query api from javascript in correct manner. Want to use some information of ERPNext on my website.

I can get values easily with postman, but struggle to get same with ajax:

function firstLogin(email,password) {
var url = “
url: url,
headers: {“Accept”: “application/json”},
contentType: “application/json”,
method: ‘POST’,
dataType: ‘json’,
crossDomain: true,
success: function(data){

Please help me.

Thank You


Thanks for replying, @revant_one.

  • I copied your gist and replaced location @webserver in /home/frappe/frappe-bench/config/nginx.conf
  • Restarted the server (DigitalOcean)
  • I could http://MY_ERPNEXT_IP/api/ directly in Firefox, Chrome, Postman AND Vue-Axios with no problems
  • I could http://MY_ERPNEXT_IP/api/method/login?usr=user&pwd=password directly in Firefox, Chrome and Postman with no problems, but not from Vue-Axios

Do you know what headers should I use?

I use

headers: {‘Authorization’: ‘APIKEY’, ‘Content-Type’: ‘application/x-www-form-urlencoded’},

But I get this error:

Access to XMLHttpRequest at ‘’ from origin ‘’ has been blocked by CORS policy: Request header field x-frappe-csrf-token is not allowed by Access-Control-Allow-Headers in preflight response.



Here’s what I do usually.

  1. On server create a backend request. Python code or whatever language you are using.
  2. From back end call
  3. From front end call the code on point 1 .


I will try your workaround, @aldoblack. Thanks


Hi @Albertus.

Take a look at Token Based Rest Api in JavaScript

You’ll find a simple but complete JavaScript and Python snippet for calling the ERPNext Rest Api

Hope this helps


Just a quick note for anyone struggling with CORS: @revant_one’s modifications to nginx.conf work great, but at least in some circumstances they apply the necessary headers only to successful API calls. That means, if the call fails for some other reason (403, 404, 500, etc.), you might get a misleading Access-Control-Allow-Origin error.

In other words, if you’re still getting Access-Control-Allow-Origin errors even after you’ve changed frappe-bench/config/nginx.conf and reloaded nginx, it’s very possible that CORS isn’t actually the problem but being reported as a false positive. Adding this in hopes of saving someone else some trouble.

Someone who learned the hard way :slight_smile: