CORS Header Generator

Developer

Generate Cross-Origin Resource Sharing (CORS) HTTP headers and server configuration snippets for your API or web application.

Quick Presets

Generated Headers

Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization, Accept Access-Control-Max-Age: 86400

Server Configuration

Nginx

location /api/ { add_header Access-Control-Allow-Origin "*" always; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always; add_header Access-Control-Allow-Headers "Content-Type, Authorization, Accept" always; add_header Access-Control-Max-Age "86400" always; if ($request_method = OPTIONS) { return 204; } }

Apache (.htaccess)

Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" Header always set Access-Control-Allow-Headers "Content-Type, Authorization, Accept" Header always set Access-Control-Max-Age "86400" RewriteEngine On RewriteCond %{REQUEST_METHOD} OPTIONS RewriteRule ^(.*)$ $1 [R=204,L]

Express.js (cors middleware)

import cors from 'cors'; app.use(cors({ origin: '*', methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization', 'Accept'], maxAge: 86400, }));

Vercel (vercel.json)

{ "headers": [ { "source": "/api/(.*)", "headers": [ { "key": "Access-Control-Allow-Origin", "value": "*" }, { "key": "Access-Control-Allow-Methods", "value": "GET, POST, PUT, DELETE, OPTIONS" }, { "key": "Access-Control-Allow-Headers", "value": "Content-Type, Authorization, Accept" }, { "key": "Access-Control-Max-Age", "value": "86400" } ] } ] }

About CORS

Cross-Origin Resource Sharing (CORS) is a security mechanism that allows web applications on one domain to request resources from another domain.

Preflight Requests - OPTIONS requests sent before cross-origin requests with custom headers
Credentials - Cannot use * origin with credentials; must specify exact origins
Max-Age - How long browsers cache preflight responses (default: 5 seconds)
Simple Requests - GET/HEAD/POST with standard headers skip preflight

What is This Tool?

A CORS header generator creates Cross-Origin Resource Sharing HTTP headers and server configuration snippets. Configure allowed origins, methods, headers, and credentials to properly enable cross-origin API access while maintaining security controls.

CORS is a browser security mechanism that blocks web pages from making requests to a different domain than the one serving the page. Servers must explicitly opt in by sending Access-Control-Allow-* headers. Misconfigured CORS either blocks legitimate requests or creates security vulnerabilities by allowing too much access.

Common Use Cases

API Development

Configure CORS headers for REST and GraphQL APIs that need to accept requests from frontend applications on different domains.

Microservice Architecture

Set up proper CORS policies for service-to-browser communication in microservice and micro-frontend architectures.

Third-Party Integration

Configure CORS to allow specific partner domains access to your API while blocking unauthorized origins.

Server Configuration

Generate CORS configurations for Nginx, Apache, Express.js, and Vercel with correct header syntax.

Frequently Asked Questions

What is a preflight request?

An OPTIONS request browsers send before cross-origin requests with custom headers, non-simple methods, or credentials. The server must respond with appropriate CORS headers.

Can I use * with credentials?

No. When Access-Control-Allow-Credentials is true, the origin must be explicitly specified. Wildcard (*) is not allowed with credentials.

What is Access-Control-Max-Age?

How long (in seconds) browsers cache preflight responses. Setting 86400 (24 hours) reduces preflight requests for better performance.