Detrimental Replit CORS Configuration Failure: Custom Domains Strip CORS Headers Breaking Cross-Origin API Access

Bugs
1

Hello,

I am a paying customer of Replit, investing over $120 per month for their services. Despite this significant investment, I have encountered severe technical issues with my deployed applications, particularly related to Cross-Origin Resource Sharing (CORS). I have since corroborated these exact issues with other paying users who’s APIs are no longer functioning as they used to and are now blocked by CORS being stripped headers by the Replshield. These issues are not only impacting my ability to deliver functional APIs but are also causing me to lose trust in Replit as a reliable platform. Additionally, Replit’s customer support has been unresponsive to my repeated emails, leaving me feeling abandoned, so I have come to post the bug here, as I am sure there are thousands of affected users.

  1. Tested Locally:
  • The API works perfectly on my local development server and replit development sever, confirming that the CORS configuration is correct and cross origin calls are allowed correctly.
  1. Deployed on Replit:
  • After deployment, the same code fails on fetches work due to a CORS issue injected by Replshield temporary redirect.

On the off chance this is not a bug, please confirm you have been able to complete the above steps without being able to replicate the cors header stripping.

1 Like
2

I haven’t run into this, however, saw on Reddit someone mentioned this as well.

Is your app the is running into this issue deployed to production? I am assuming so. Is it deployed to a custom domain (e.g. example.com) or are you accessing it via the included replit domain, e.g. example.replit.app ?

3

Both included domains and custom domains are redirecting to replshield

4

Can you post any more details?

5

What more do you want to know, try making an api and it will work in dev but on deployment it will cors fail if you call it from anywhere but the main app, even with cors settings adjusted (as I said, cors settings affected properly with dev url) ? Here is the repl you can clone:

https://replit.com/t/soteriasc/repls/shockinglytrue12

6

I have not experienced this issue yet, as I am still in development. Posting this in case any of this information proves useful. Feel free to ignore if you are already aware of this.

The 307 redirect to replshield and the resulting CORS error on your deployed Replit API are due to how Replit manages HTTPS traffic and protects Repls via repl.co or replit.dev domains.

Here’s a breakdown of what’s happening and how to fix it:

:magnifying_glass_tilted_left: What’s Causing the 307 + CORS?

  1. Replit adds an automatic HTTPS redirect via Replshield to enforce HTTPS and protect against misuse.

  2. When you make a request to your Replit API via HTTP (or from a domain without CORS headers set), Replit redirects with a 307 Temporary Redirect to https://replshield.replit.dev/

  3. This redirected request is subject to CORS restrictions, and unless your API is configured to explicitly allow those origins and headers, it fails with a CORS error.

:white_check_mark: Fix Options

  1. Ensure Your API Accepts HTTPS Requests

Always call your Replit API over https://, not http://.

For example:

// Bad
fetch(“http://your-repl-name.username.repl.co/api”)

// Good
fetch(“https://your-repl-name.username.repl.co/api”)

  1. Allow CORS in Your API Code

If you’re using Express.js, add CORS middleware:

import cors from 'cors';
import express from 'express';

const app = express();

app.use(cors()); // Allow all origins (for dev)

Or for more secure config:

app.use(cors({
  origin: ['https://your-frontend-url.com'], // Replace with actual domain
  methods: ['GET', 'POST'],
  allowedHeaders: ['Content-Type'],
  credentials: true
}));
  1. Avoid Mixing Origins

If you are calling your deployed Replit backend from a local frontend (e.g., localhost), ensure:

Your backend CORS allows localhost

Or you deploy both frontend and backend on Replit to keep them on the same origin

  1. Use .replit.dev Instead of .repl.co

When working with Replit’s deployment:

.repl.co often triggers Replshield protections

.replit.dev (the newer domain) is better behaved for CORS and HTTPS

Use: https://your-repl-name.username.replit.dev

**Note: this may explain why the API works locally, but once deployed there are tighter restrictions.

15

Wow. Just wow. Roll up folks, buy your popcorn here. We’re in for a great show. Fireworks and everything.