CORS Header Builder

Build CORS response headers with origin, methods, credentials and more

What is it and how does it work?

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that restricts web pages from making HTTP requests to a different domain than the one that served the page. When your JavaScript on `app.example.com` tries to fetch data from `api.example.com`, the browser first sends a preflight OPTIONS request to check if the server allows cross-origin requests. Without the correct CORS headers, the browser blocks the response even if the server processed the request successfully — a common source of developer confusion.

This tool generates the correct CORS HTTP response headers for your use case: development (allow all origins), production (allow specific origins only), credentialed requests (cookies, Authorization headers), and complex preflight configurations. The key headers are: `Access-Control-Allow-Origin` (which origins are permitted), `Access-Control-Allow-Methods` (permitted HTTP methods), `Access-Control-Allow-Headers` (permitted request headers), and `Access-Control-Max-Age` (preflight cache duration).

Common use cases

• Express.js API: add CORS middleware to allow your frontend on `https://app.mysite.com` to call your API at `https://api.mysite.com` with credentials (cookies, auth tokens).
• Nginx CORS configuration: add `add_header` directives for a static file server to allow requests from specific origins — useful when serving fonts or assets cross-domain.
• Debugging CORS errors: use the generated headers to understand exactly what the browser expects — if you see "No 'Access-Control-Allow-Origin' header is present", your server is missing the response header entirely.

Frequently asked questions

Why does the browser send a preflight OPTIONS request?

For "non-simple" requests (those using methods other than GET/POST, or custom headers beyond a safe set, or Content-Type other than text/plain, application/x-www-form-urlencoded, or multipart/form-data), browsers first send an OPTIONS request — the preflight. This preflight checks if the actual request is permitted without having to send the full request (and its potentially sensitive body). If the preflight succeeds, the browser proceeds with the actual request. Simple requests (basic GET/POST without custom headers) skip the preflight.

Can I use `Access-Control-Allow-Origin: *` with credentials?

No. You cannot combine `Access-Control-Allow-Origin: *` with `Access-Control-Allow-Credentials: true`. This is a deliberate security restriction. For credentialed requests (cookies, Authorization headers), you must specify the exact origin: `Access-Control-Allow-Origin: https://app.example.com`. Wildcards are intentionally forbidden for credentialed cross-origin requests because they would allow any site to make credentialed requests — a major security vulnerability.

What is the difference between CORS errors and network errors?

A CORS error means: the request reached the server, the server responded, but the browser blocked the JavaScript from reading the response because CORS headers were missing or incorrect. A network error means: the request never reached the server (DNS failure, connection refused, timeout). In the browser console, CORS errors appear as "Access to fetch at '...' from origin '...' has been blocked by CORS policy". Importantly: the server already processed the request — CORS is purely a browser-side read restriction.

How do I fix CORS for multiple allowed origins?

The `Access-Control-Allow-Origin` header can only contain a single origin value or `*`. To allow multiple specific origins, use server-side logic: check the request's `Origin` header against your whitelist, and if it matches, reflect that specific origin back in the response: `if (ALLOWED_ORIGINS.includes(req.headers.origin)) { res.setHeader("Access-Control-Allow-Origin", req.headers.origin); }`. Also set `Vary: Origin` header to tell caches that the response varies by origin.

Developer

UUID Generator · Timestamp Converter · Base64 Encoder · Base64 Decoder · Hash Generator · Color Converter