CORS Generator
CORS header generator online free. Build Access-Control headers, select origins, methods. CORS configuration tool.
Allowed Origins
Allowed Methods
Allowed Headers
Options
Warnings
- Wildcard origin allows any website to make requests
- Consider including OPTIONS for preflight requests
Response Headers
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: Content-Type Access-Control-Max-Age: 86400
Usage
Express.js
res.set({
'Access-Control-Allow-Origin': '*',
'Access-Control-Allow-Methods': 'GET, POST',
'Access-Control-Allow-Headers': 'Content-Type',
'Access-Control-Max-Age': '86400'
});Nginx
add_header 'Access-Control-Allow-Origin' '*'; add_header 'Access-Control-Allow-Methods' 'GET, POST'; add_header 'Access-Control-Allow-Headers' 'Content-Type'; add_header 'Access-Control-Max-Age' '86400';
Features
- Visual builder for CORS (Cross-Origin Resource Sharing) headers
- Configure allowed origins, methods, headers, credentials, and max-age
- Wildcard origin support with security warning when credentials are enabled
- Generated header output for Nginx, Express, Apache, and Koa
- Live preflight request simulation to preview browser behavior
- Common configuration presets (public API, private API, same-site)
Common Use Cases
- Configure a REST API to accept requests from a specific frontend domain
- Debug CORS errors from browser console by understanding the required headers
- Set up CORS for a public API that allows all origins
- Restrict API access to only trusted partner domains
- Generate CORS configuration snippets for different web frameworks
What is CORS?
CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page. Without CORS headers, a script on app.com cannot fetch data from api.com.
CORS uses HTTP headers to tell browsers which cross-origin requests are permitted. The server adds headers like Access-Control-Allow-Origin to its responses, and the browser enforces them. For non-simple requests (e.g., PUT, DELETE, or requests with custom headers), the browser first sends a preflight OPTIONS request to check permissions.
CORS is enforced exclusively by browsers — server-to-server requests (including curl, Postman, and backend services) are never subject to CORS restrictions.
Examples
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POSTAccess-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: trueAccess-Control-Allow-Origin: *
Access-Control-Allow-Credentials: trueFrequently Asked Questions
CORS is enforced by browsers only. Postman, curl, and backend applications are not subject to same-origin restrictions, so they never send or enforce CORS checks. If your API works in Postman but not in the browser, the CORS headers are missing or misconfigured on the server side.
No. When Access-Control-Allow-Credentials: true is set, the browser requires an exact origin instead of a wildcard. Setting both * and credentials will cause the browser to block the request entirely. Reflect the specific requesting origin dynamically in this case.
Before sending "non-simple" cross-origin requests, the browser automatically sends an HTTP OPTIONS request (the "preflight") to verify the server permits the method and headers. The server must respond with appropriate Access-Control-Allow-* headers. Cache preflight responses with Access-Control-Max-Age to reduce round trips.
Simple requests: GET/HEAD/POST with only standard headers (Accept, Content-Type: application/x-www-form-urlencoded, etc.) — no preflight. Non-simple: PUT, DELETE, PATCH, custom headers, or JSON Content-Type — browser sends a preflight OPTIONS request first.
💡 Tips
- Never use <code>Access-Control-Allow-Origin: *</code> for APIs that handle authentication cookies or sensitive data.
- Maintain an explicit allowlist of trusted origins and validate the request <code>Origin</code> header against it, dynamically reflecting the matched origin.
- Set <code>Access-Control-Max-Age: 86400</code> to cache preflight responses for 24 hours and reduce latency for repeat requests.
- Log blocked CORS requests server-side to detect misconfiguration or potential attack attempts.