CORS Generator

Secure Cross-Origin Resource Sharing configs for APIs and backends.

Comma-separated list of allowed origins. Use '*' for public APIs (insecure for authenticated routes).

- Which HTTP methods are permitted.

Headers the client is allowed to send in the actual request.

Headers the client is allowed to read from the response.

- Set to true if your API uses cookies or authorization headers. Cannot be used with a wildcard (*) origin.

How long the results of a preflight request can be cached.

cors-config.js
1

CORS Best Practices Guide

Cross-Origin Resource Sharing (CORS) is an HTTP-header based mechanism that allows a server to indicate any origins (domain, scheme, or port) other than its own from which a browser should permit loading resources.

The Dangers of the Wildcard (*)

Using Access-Control-Allow-Origin: * allows any website on the internet to read the responses from your API. While this is perfectly fine for public APIs (like a weather API), it is highly dangerous for APIs that handle user data.

Never use * on an authenticated endpoint.

CORS and Credentials

If your API requires cookies or Authorization headers to be sent with cross-origin requests, you must set Access-Control-Allow-Credentials: true.

Crucially, the browser will reject the request if Allow-Credentials is true AND Allow-Origin is set to *. You must explicitly specify the allowed origin (e.g., https://app.example.com) when using credentials.

Preflight Requests (OPTIONS)

When a browser makes a "complex" request (e.g., using a POST method with a custom Content-Type like application/json), it first sends an OPTIONS request to check if the CORS protocol is understood and allows the request.

You can cache this preflight response using the Access-Control-Max-Age header (in seconds) to reduce latency on subsequent requests from the same client.