Cross-Origin Resource Sharing (CORS) is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page. Servers opt-in to cross-origin access by returning specific Access-Control-* response headers.

When should I use a wildcard (*) origin?

Use * only for fully public APIs that serve no user-specific data. Wildcard origins cannot be combined with Allow-Credentials: true — browsers will reject such responses.

What is a preflight request?

Browsers send an OPTIONS preflight request before any non-simple request (e.g. PUT, DELETE, or requests with custom headers) to check whether the server permits the actual request. The Max-Age header caches the preflight result to avoid repeated round trips.

Why can't I use credentials with a wildcard origin?

The CORS specification explicitly forbids combining Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. You must list specific origins when credentials (cookies, HTTP auth, TLS client certs) are involved.

Are these headers enough to enable CORS?

Yes, for most use cases. Add these headers to every response your server returns for the relevant routes, including the OPTIONS preflight response. Some servers also need to be configured to respond to OPTIONS requests with a 204 or 200 status.

CORS Header Builder

Name: CORS Header Builder
Availability: InStock
Author: Nham Vu

Configure allowed origins, methods, headers, and credentials, then get the exact Access-Control-* headers plus server config snippets to copy and paste.

CORS Policy Configuration

Allowed Origins

One origin per line. Use * for all origins (incompatible with credentials).

Allowed Methods

GET POST PUT DELETE PATCH OPTIONS HEAD

Allowed Headers

Expose Headers

Headers the browser is allowed to read from the response.

Allow Credentials

Allows cookies and HTTP authentication. Cannot be used with wildcard origin.

Preflight Cache Max Age (seconds)

How long browsers may cache the preflight result. 86400 = 24 hours.

Raw HTTP Response Headers

Generate headers to see output...

nginx Configuration

Generate headers to see output...

Apache (.htaccess)

Generate headers to see output...

Express.js / Node.js

Generate headers to see output...

Copied!

Summary

Configure allowed origins, methods, headers, and credentials, then get the exact Access-Control-* headers plus server config snippets to copy and paste.

How it works

Fill in the allowed origins, select HTTP methods, specify allowed and exposed headers, set credentials and cache duration. The tool generates the correct Access-Control-* response headers and wraps them in server-specific config blocks you can paste directly into your configuration.

Use cases

Configure CORS for a REST API served from a different domain than the frontend.
Set up preflight response headers for browsers making credentialed cross-origin requests.
Generate production nginx location blocks or Apache .htaccess CORS directives.
Debug a CORS policy by inspecting exactly which headers will be emitted.
Lock down an API to specific origins before deploying to production.

Frequently Asked Questions

Last updated: 2026-06-09 · Reviewed by Nham Vu