Tools

CORS Policy Builder

Configure Cross-Origin Resource Sharing (CORS) headers for your API. Generate Access-Control-* headers and Express/Nginx/Apache config with security warnings.

CORS Configuration

Allowed Origins (comma-separated, or *)

Allowed Methods

Allowed Headers (comma-separated)

Exposed Headers (comma-separated)

Max-Age (seconds, 0 = omit header)

Allow Credentials

Reflect Origin (dynamic)

Request type:Simple + Preflight— OPTIONS preflight required for non-simple methods/headers

Access-Control-Allow-Origin: https://example.com
Vary: Origin
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400

Header Reference

Access-Control-Allow-Origin

Example: https://example.com or *

Specifies which origin(s) are allowed to read the response. A single specific origin or wildcard *. Cannot be * when credentials are included.

Access-Control-Allow-Methods

Example: GET, POST, PUT

Lists the HTTP methods allowed when accessing the resource in cross-origin requests. Applies to preflight requests.

Access-Control-Allow-Headers

Example: Content-Type, Authorization

Lists request headers that may be used in the actual request. Any header outside the CORS-safelisted set requires explicit listing here.

Access-Control-Expose-Headers

Example: X-Custom-Header

Lists response headers that browsers are allowed to access from JavaScript. By default only CORS-safelisted headers are exposed.

Access-Control-Allow-Credentials

Example: true

Indicates whether the request can include user credentials (cookies, HTTP authentication, TLS certificates). Requires specific origin, not wildcard.

Access-Control-Max-Age

Example: 86400

Indicates how long (seconds) the results of a preflight request can be cached. Reduces preflight overhead.

Vary: Origin

Example: Origin

Tells caches that the response varies by the Origin header. Required when dynamically setting Access-Control-Allow-Origin to prevent cache poisoning.