It turned out that I had to enable CORS for my own port and domain, I run ktor on

localhost:5000

and I had to enable CORS for

localhost:5000

as well, which seems weird to me. I did not get the usual

CORS not allowed header blabla

just a

403

If you have

Origin

in http headers and CORS is enabled, then ktor will check if method is allowed. Default methods are GET, HEAD and POST. If you allow other methods with CORS-control, you need to add

method(HttpMethod.Put)

to CORS configuration.