CORS Header Builder

Configure cross-origin policy visually and copy ready-to-use headers, middleware, or worker code.

Allowed origins

Quick add:

Allowed request headers

Content-Type

Quick add:

Exposed response headers

Quick add:

Allow credentials(cookies, Authorization, TLS client certs)

Preflight cache (Max-Age)86400s

OPTIONS success status

Configuration checks

Wildcard origin (`*`) allows any site to call your API. Restrict to known origins for production.

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, HEAD, POST
Access-Control-Allow-Headers: Content-Type
Access-Control-Max-Age: 86400

About CORS

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that lets servers opt into receiving requests from origins other than their own. This builder generates the correct Access-Control-* headers for the most common stacks — raw HTTP, Express, Fastify, Nginx, Apache, and Cloudflare Workers — without sending your config anywhere. Everything runs in your browser.

Common pitfalls

credentials: true with origin * is rejected by browsers — list explicit origins.
Access-Control-Allow-Headers: * does not work with credentials either.
Most browsers cap Access-Control-Max-Age at 86400 seconds (24 hours).
When you echo specific origins back, always set Vary: Origin to keep caches honest.