CORS Configuration Generator

Generate Cross-Origin Resource Sharing (CORS) configuration for your framework or server.

Quick Presets:

Configuration

Allowed Origins

Allow all origins (*)

Allowed Methods

GET POST PUT DELETE PATCH OPTIONS HEAD

Allowed Headers

Exposed Headers

Headers the browser can access from the response

Preflight Cache (Max-Age)

seconds (86400 = 24 hours)

Allow Credentials

Enable cookies and HTTP authentication in cross-origin requests

Generated Configuration

Test CORS Configuration

Use these curl commands to test your CORS setup:

Preflight Request (OPTIONS)

Simple Request with CORS Headers

Your API Endpoint (for testing)

Expected Response Headers

Understanding CORS

Cross-Origin Resource Sharing (CORS) is a security mechanism that allows web browsers to make requests to a different domain than the one serving the web page. Without CORS, browsers block these cross-origin requests due to the Same-Origin Policy.

Preflight Requests

For "non-simple" requests (those with custom headers, PUT/DELETE methods, etc.), browsers first send an OPTIONS request to check if the actual request is allowed.

Credentials

When credentials (cookies, HTTP auth) are needed, both the client must set credentials: 'include' and the server must respond with Access-Control-Allow-Credentials: true.

Wildcard Limitations

When using credentials, you cannot use * for origins. You must specify exact origin(s) and the server should echo the requesting origin.

Max-Age Caching

The Access-Control-Max-Age header tells browsers how long to cache preflight results, reducing the number of OPTIONS requests needed.