CORS Header Generator
Generate Cross-Origin Resource Sharing (CORS) headers for your API
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400About This Tool
CORS (Cross-Origin Resource Sharing) is the browser mechanism that controls which origins can read responses from a server. The server signals permitted access via response headers — primarily Access-Control-Allow-Origin, Allow-Methods, Allow-Headers, and Allow-Credentials.
Specify allowed origins, methods, headers, and credential rules to receive a generated header block. Output works as Express/Koa middleware config, Nginx config, or a static reference for cloud function setup.
The CORS protocol is enforced entirely by the browser. The server sends headers; the browser decides whether to expose the response to the calling JavaScript. A server that doesn't set CORS headers still responds, but the browser blocks the response from script access while allowing it for the user (which is why you can fetch a cross-origin image into an img tag but can't read its pixels via canvas without CORS). Simple requests (GET, HEAD, POST with content-type form-urlencoded/multipart/text) skip preflight. Anything else triggers an OPTIONS preflight: the browser asks the server which methods and headers are permitted, the server replies, and only if the response satisfies the request does the actual call go out.
A worked example. An API at api.example.com needs to accept requests from the SPA at app.example.com, including credentialed requests (cookies). The generator outputs:
Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true Access-Control-Max-Age: 86400 Vary: Origin
Max-Age caches the preflight response for 24 hours so repeated calls skip the OPTIONS round trip. Vary: Origin is required when echoing the origin back so caches don't return the wrong response to a different origin.
Limitations and the most common bugs. Allow-Origin: * with credentials is rejected by browsers — you must echo the specific origin. Echoing without an allowlist is a common but unsafe shortcut; an attacker can send a request from any origin and read the response. Always validate against a server-side list. The OPTIONS preflight is what kills most teams' first cross-origin attempts; if the server returns 405 or 404 on OPTIONS, the actual request never goes out and the browser logs a cryptic CORS error. Missing Vary: Origin causes shared caches (CDN, browser cache) to return the wrong CORS headers to a different origin. Allow-Headers is case-insensitive in CORS but case-sensitive in some Express middleware versions — a known footgun. For dev environments, browser CORS extensions can mask real bugs that production users will hit.
The about text and FAQ on this page were drafted with AI assistance and reviewed by a member of the Coherence Daddy team before publishing. See our Content Policy for editorial standards.