Are you getting any errors in the browser console?

CORS via env vars on Railway: 5 things to check

Since you're getting CORS errors even after setting the origin/regex variables, the issue is almost certainly one of these:

1. Env var value includes literal quotes (most common Railway gotcha)

In Railway's dashboard, if you typed the value with quotes:

ALLOWED_ORIGINS="https://yourapp.com"

Your app receives "https://yourapp.com" with the quotes as part of the string. The CORS check does an exact string match and fails silently.

Fix: Remove the surrounding quotes. The value should be:

ALLOWED_ORIGINS=https://yourapp.com

1. CORS middleware is not first in the stack

In Express, Fastify, or any Node framework, the CORS middleware must be registered before all routes and other middleware. If it comes after a route handler or error middleware, the Access-Control-Allow-Origin header is never added to the response.

// Correct order

app.use(cors({ origin: process.env.ALLOWED_ORIGINS }));

app.use(express.json());

app.use('/api', yourRoutes);

If CORS is added after app.use('/api', ...), preflight OPTIONS requests return 404 with no CORS headers and the browser blocks the actual request.

1. Credentials + wildcard conflict

If your frontend sends credentials: 'include' (for cookies or auth headers), the backend cannot respond with Access-Control-Allow-Origin: *. It must respond with the exact requesting origin.

Your CORS config must be:

cors({

origin: process.env.ALLOWED_ORIGINS, // exact domain, not *

credentials: true,

})

And Access-Control-Allow-Credentials: true must be in the response headers. A wildcard * with credentials is rejected by every browser.

1. Regex env var format

If you're using a regex-based origin check, Railway stores it as a raw string. Your code likely does:

new RegExp(process.env.CORS_ORIGIN_REGEX)

Railway may escape characters differently. Test the actual value your app receives by adding a temporary debug endpoint:

app.get('/debug-cors', (req, res) => {

res.json({

ALLOWED_ORIGINS: process.env.ALLOWED_ORIGINS,

CORS_ORIGIN_REGEX: process.env.CORS_ORIGIN_REGEX,

});

});

Hit that endpoint after deploy to confirm what Railway is actually injecting.

1. Bypass CORS entirely using Railway's private network

If both your Next.js app and your backend are deployed on Railway in the same project, you do not need CORS at all. Use Railway's private network URL instead of the public domain:

http://your-service.railway.internal:PORT

Private network calls are server-to-server (Next.js API route → backend), never browser-to-backend, so the browser's same-origin policy does not apply. This is the cleanest fix and removes the env var dependency entirely.

Go to your backend service in Railway → Settings → Networking → you'll see the private DNS hostname there.

How to confirm which issue you have

Open your browser DevTools → Network tab → find the failing request → look at:

Request headers: is Origin: https://yourapp.com present?

Response headers: is Access-Control-Allow-Origin present? What value does it have?

Preflight: is there an OPTIONS request before the failing one? Does it return 200 or 404?

This will tell you in 30 seconds whether the CORS header is missing entirely (middleware order or env var not loading) vs present but wrong value (credentials/wildcard conflict).

This should unblock you -- share what the Network tab shows and I can narrow it down further.

If I understood correctly, you're having an issue with env variables in your Next.js app? If that's the case, I suggest you check where in your Next app you're using the variables. Env variables that are not prefixed with NEXT_PUBLIC_ aren't available in client components, only in server components, route handlers, and server actions.

I am hosting the frontend from Vercel and I have added Next public env vars. The api call sends its request to railway but railway seems to block the url due to Cors policy. But I have added the url to allow Cors and I m having the function in place to accept requests from url

Can you share your CORS setup, and your Next.js app domain? Sharing the exact error text is helpful as well.