Paste your error. Get the fix.
One short page per error. The literal message at the top so it’s recognizable, a one-line explanation, then the copy-paste fix for the framework you’re probably using.
- cors
Blocked by CORS policy: No Access-Control-Allow-Origin header
Your browser is blocking a fetch because the response is missing the right CORS headers. Here is what causes it and the exact fix per stack.
Read fix - headers
Refused to display in iframe: X-Frame-Options or CSP frame-ancestors
Browsers block embedding when the framed page sets X-Frame-Options: DENY/SAMEORIGIN or a CSP frame-ancestors directive that excludes your origin.
Read fix - ssl
Mixed Content: HTTP resource blocked on an HTTPS page
Browsers block insecure (http://) resources loaded inside an https:// page. The fix is to upgrade every URL to https or use protocol-relative URLs.
Read fix - headers
CSP: Refused to execute inline script — script-src violation
Your Content-Security-Policy blocks inline JavaScript. The clean fix is moving to external scripts; the quick fix is adding a nonce or hash.
Read fix - supabase
Supabase: new row violates row-level security policy
Your insert was blocked because no RLS policy on the table allows the current user to write that row. Add a policy or check auth.uid().
Read fix - firebase
Firebase: Missing or insufficient permissions
Firebase Security Rules denied the read or write. Check the rule matching the path and confirm request.auth and resource fields meet the conditions.
Read fix - ssl
ERR_SSL_PROTOCOL_ERROR: This site can’t provide a secure connection
Browser cannot establish TLS with your server. Most often: missing/invalid cert, outdated TLS protocol, or wrong certificate served for the hostname.
Read fix - headers
HSTS error: Resource blocked because the host requires HTTPS
A subresource on an HSTS-protected host was requested over HTTP. The browser refuses without contacting the server. Upgrade the URL.
Read fix - cookies
Cookie rejected: SameSite=None requires Secure flag
Browsers reject Set-Cookie headers with SameSite=None unless the Secure flag is also set. Add Secure or change SameSite to Lax.
Read fix - cors
CORS preflight: Response did not pass access control check
Your server didn’t respond to the OPTIONS preflight properly. Add an OPTIONS handler that returns 204 with the right Access-Control headers.
Read fix