CORS Error: No Access-Control-Allow-Origin header - Cannot create patients from frontend
CORS Error Blocks Patient Registration API
Patient registration fails due to missing CORS headers on the backend
Summary
Patient registration form fails with "Network Error" because the backend API does not send the Access-Control-Allow-Origin header.
Browser blocks the request → no patient is created.
This completely prevents patient registration in local development and in any non-whitelisted environment.
Current behavior (what happens)
- Submitting the patient registration form fails
- Browser console shows CORS policy error
- UI displays:
Failed to create patient: Network Error - The request never reaches the application logic
Expected behavior
- Request from frontend > backend should succeed
- Patient record should be created
- UI should show success message / confirmation
Steps to reproduce
- Run the frontend locally (
http://localhost:5173) - Log in as a volunteer/user
- Go to Patient Registration page
- Fill in valid patient details
- Click Submit
→ Request is blocked by browser
Environment
| Item | Value |
|---|---|
| Frontend | ehrs-frontend-vite |
| Frontend URL | http://localhost:XXXX |
| Backend URL | https://api.ehrs.swecha.org |
| Browsers affected | Chrome, Firefox (latest) |
| OS | Linux (Ubuntu) |
Console / Network error
Access to XMLHttpRequest at 'https://api.ehrs.swecha.org/api/v1/patients/' from origin 'http://localhost:XXXX' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.
Failed to load resource: net::ERR_FAILED
Root cause (most likely)
Backend is missing CORS configuration.
No Access-Control-Allow-Origin header is returned for cross-origin requests from http://localhost:5173.
Suggested fix
Add CORS middleware to the FastAPI application:
After adding, restart/redeploy the backend.
Severity / Impact
High
Blocks all local development of patient registration Prevents any external / third-party frontend from using the API Makes the patient creation feature completely unusable outside the exact production domain
Additional context
Swagger docs (/docs) are accessible → API itself is running Issue occurs in all tested browsers Not a frontend bug (request is correctly formed, problem is server-side headers)
Attachments
Please refer to the screenshots.
Thank you for looking into this. This is currently a show-stopper for local development and testing.