Configure Cross-Origin Resource Sharing (CORS) headers for your API. Generate Access-Control-* headers and Express/Nginx/Apache config with security warnings.
CORS Configuration
Access-Control-Allow-Origin: https://example.com Vary: Origin Access-Control-Allow-Methods: GET, POST Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Max-Age: 86400
Header Reference
Access-Control-Allow-Origin
Example: https://example.com or *
Specifies which origin(s) are allowed to read the response. A single specific origin or wildcard *. Cannot be * when credentials are included.
Access-Control-Allow-Methods
Example: GET, POST, PUT
Lists the HTTP methods allowed when accessing the resource in cross-origin requests. Applies to preflight requests.
Access-Control-Allow-Headers
Example: Content-Type, Authorization
Lists request headers that may be used in the actual request. Any header outside the CORS-safelisted set requires explicit listing here.
Access-Control-Expose-Headers
Example: X-Custom-Header
Lists response headers that browsers are allowed to access from JavaScript. By default only CORS-safelisted headers are exposed.
Access-Control-Allow-Credentials
Example: true
Indicates whether the request can include user credentials (cookies, HTTP authentication, TLS certificates). Requires specific origin, not wildcard.
Access-Control-Max-Age
Example: 86400
Indicates how long (seconds) the results of a preflight request can be cached. Reduces preflight overhead.
Vary: Origin
Example: Origin
Tells caches that the response varies by the Origin header. Required when dynamically setting Access-Control-Allow-Origin to prevent cache poisoning.
marduc812
2026