Fix: ASP.NET Core CORS Policy Not Working in Production

A common gotcha when deploying ASP.NET Core apps — CORS works in dev but silently breaks in prod.

asp.net cors deployment fix

Problem


You've configured CORS in Program.cs, it works perfectly on localhost, but once deployed your API returns:


Access to XMLHttpRequest has been blocked by CORS policy

Root Cause


The most common culprit: order of middleware matters. UseCors() must be called before UseAuthorization() and UseEndpoints().


Solution


app.UseRouting();
app.UseCors("AllowFrontend");   // MUST come before UseAuthorization
app.UseAuthentication();
app.UseAuthorization();
app.MapControllers();

Also ensure your policy name matches exactly — C# string comparison is case-sensitive.