Lovable deployment

Supabase Storage Bucket CORS Error on Upload

File upload to Supabase Storage fails with CORS error. 'Access-Control-Allow-Origin' missing in response. Works with API key but not with RLS. Uploads blocked from production domain.

Supabase Storage requires CORS configuration and proper bucket settings for client-side uploads.

Error Messages You Might See

Access-Control-Allow-Origin header is missing CORS policy does not allow access No such bucket
Access-Control-Allow-Origin header is missingCORS policy does not allow accessNo such bucket

Common Causes

  1. Bucket CORS not configured in Supabase
  2. Domain not added to allowed origins
  3. Not using public bucket when needed
  4. Trying to use private bucket with expired token
  5. RLS policy blocks upload operation

How to Fix It

Configure CORS in Supabase dashboard > Storage > Buckets > select bucket > CORS policy:

[
  {
    "origin": ["https://yourdomain.com"],
    "methods": ["GET", "POST", "PUT", "DELETE"],
    "allowedHeaders": ["*"]
  }
]

Use signed URLs for private uploads or public bucket for direct uploads.

Real developers can help you.

Matthew Jordan Matthew Jordan I've been working at a large software company named Kainos for 2 years, and mainly specialise in Platform Engineering. I regularly enjoy working on software products outside of work, and I'm a huge fan of game development using Unity. I personally enjoy Python & C# in my spare time, but I also specialise in multiple different platform-related technologies from my day job. Rudra Bhikadiya Rudra Bhikadiya I build and fix web apps across Next.js, Node.js, and DBs. Comfortable jumping into messy code, broken APIs, and mysterious bugs. If your project works in theory but not in reality, I help close that gap. Luca Liberati Luca Liberati I work on monoliths and microservices, backends and frontends, manage K8s clusters and love to design apps architecture Nam Tran Nam Tran 10 years as fullstack developer rayush33 rayush33 JavaScript (React.js, React Native, Node.js) Developer with demonstrated industry experience of 4+ years, actively looking for opportunities to hone my skills as well as help small-scale business owners with solutions to technical problems BurnHavoc BurnHavoc Been around fixing other peoples code for 20 years. AUXLE AUXLE I am a Full Stack Developer experienced in building Websites, Web apps and Cross Platform Mobile Apps for Startups and Companies. PawelPloszaj PawelPloszaj I'm fronted developer with 10+ years of experience with big projects. I have small backend background too Kingsley Omage Kingsley Omage Fullstack software engineer passionate about AI Agents, blockchain, LLMs. Tejas Chokhawala Tejas Chokhawala Full-stack engineer with 5 years experience building production web apps using React, Next.js and TypeScript. Focused on performance, clean architecture and shipping fast. Experienced with Supabase/Postgres backends, Stripe billing, and building AI-assisted developer tools.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help

Frequently Asked Questions

Should I use public or private bucket?

Public: direct browser uploads with CORS. Private: use signed URLs or server-side uploads.

How long are signed URLs valid?

Configurable from seconds to days. Default is reasonable but set based on your needs.

Related Lovable Issues

CORS Error in Production Blocking Supabase Requests

deployment

Vite Build Produces Blank Page in Production

deployment

Environment Variables Undefined in Production Build

deployment

Vite Hot Module Replacement (HMR) Connection Fails

deployment

Can't fix it yourself?
Real developers can help.

You don't need to be technical. Just describe what's wrong and a verified developer will handle the rest.

Get Help