KitMul MarkKitMul Text

Configure CORS Headers

Generate Cross-Origin Resource Sharing configurations for Express.js, Nginx, Apache, Fetch API, Spring Boot, Django, and Laravel.

Build and configure CORS headers visually with an interactive editor. Define allowed origins, methods, headers, credentials, and max age; then export ready-to-use configurations for Express.js, Nginx, Apache, Fetch API, Spring Boot, Django, and Laravel. All processing happens in your browser.

Loading...
Your data stays in your browser
Was this tool useful?
Tutorial

How to Configure CORS Headers

1
1

Define Allowed Origins

Specify which domains can access your API by adding origin URLs or using a wildcard for open access.

2
2

Select Methods and Headers

Choose which HTTP methods like GET, POST, or PUT are allowed, and define custom headers your API accepts.

3
3

Export the Configuration

Switch between output tabs to copy the CORS config for your server framework or reverse proxy setup.

Guide

Complete Guide to CORS Configuration

Why CORS Exists in the Browser

Browsers enforce the same-origin policy to prevent malicious websites from reading sensitive data from other domains. CORS relaxes this restriction in a controlled way by letting servers declare which origins, methods, and headers are permitted. Without CORS headers, any cross-origin fetch or XMLHttpRequest will be blocked, even if the server processed the request successfully.

Understanding CORS Headers

The Access-Control-Allow-Origin header specifies trusted origins. Access-Control-Allow-Methods lists permitted HTTP methods such as GET, POST, and DELETE. Access-Control-Allow-Headers declares which custom request headers are accepted. Access-Control-Expose-Headers controls which response headers the browser can read, and Access-Control-Max-Age caches preflight results to reduce latency.

Simple vs Preflight Requests

Simple requests use GET, HEAD, or POST with standard content types and skip the preflight step. Any request using other methods, custom headers, or non-standard content types triggers a preflight OPTIONS call. The server must respond to the preflight with the correct CORS headers before the browser sends the actual request, making proper configuration essential for API functionality.

Common Pitfalls and Best Practices

Avoid using wildcard origins in production; whitelist specific domains instead. Never combine wildcard origins with credentials because browsers will reject the response. Set a reasonable Max Age to reduce preflight overhead without caching stale policies. Always test CORS from the actual client origin because server-side tools bypass browser enforcement entirely.

Sources

Examples

CORS Configuration Examples

Express.js API for a React App

A React SPA at https://app.example.com needs to call an Express API at https://api.example.com with JWT tokens.

1

Set allowed origin to https://app.example.com

2

Enable methods GET, POST, PUT, DELETE

3

Add Authorization to allowed headers

4

Enable credentials

Access-Control-Allow-Origin: https://app.example.com; Access-Control-Allow-Methods: GET, POST, PUT, DELETE; Access-Control-Allow-Headers: Authorization; Access-Control-Allow-Credentials: true

Nginx Reverse Proxy for Public API

A public REST API behind Nginx that accepts JSON requests from any origin.

1

Set allowed origin to *

2

Enable methods GET, POST, OPTIONS

3

Add Content-Type to allowed headers

4

Set max age to 86400 seconds

Access-Control-Allow-Origin: *; Access-Control-Allow-Methods: GET, POST, OPTIONS; Access-Control-Allow-Headers: Content-Type; Access-Control-Max-Age: 86400

Use Cases

CORS Use Cases

Public REST API

Set allowed origins to wildcard (*) and enable GET and POST methods for a public API. This lets any frontend application consume your endpoints without restrictions, which is ideal for open data services and public documentation APIs.

Single-Page Application Backend

Restrict allowed origins to your SPA domain and enable credentials for cookie-based authentication. This ensures only your frontend can call the API while maintaining session state across cross-origin requests securely.

Microservices Gateway

Configure multiple allowed origins for internal services behind a reverse proxy. Set specific methods and exposed headers so each microservice can communicate through the gateway while keeping unauthorized external origins blocked.

Frequently Asked Questions

?What is CORS?

CORS is a browser security mechanism that controls which external domains can access resources on your server through HTTP headers.

?Why do I get CORS errors?

Browsers block cross-origin requests by default. You need to configure your server to send the correct Access-Control-Allow headers.

?Can I use wildcard (*) with credentials?

No. Browsers reject responses that combine Access-Control-Allow-Origin: * with credentials. You must specify exact origins instead.

?What is a preflight request?

A preflight is an OPTIONS request the browser sends before certain cross-origin calls to check if the server allows the actual request.

?What does Max Age control?

Max Age tells browsers how long to cache preflight responses in seconds, reducing repeated OPTIONS requests for the same endpoint.

?Is my data private?

Yes. Everything runs locally in your browser. No data is sent to any server. Your CORS configuration never leaves your machine.

?Is this tool free?

Yes. Completely free with no limits, no sign-up required. Generate as many configurations as you need without any restrictions.

Help us improve

How do you like this tool?

Every tool on Kitmul is built from real user requests. Your rating and suggestions help us fix bugs, add missing features and build the tools you actually need.

Rate this tool

Tap a star to tell us how useful this tool was for you.

Suggest an improvement or report a bug

Missing a feature? Found a bug? Have an idea? Tell us and we'll look into it.

Related Tools

Generate Security Headers

Configure and generate HTTP security headers with a security grade score. Export for Nginx, Apache, and Express.js.

Try Tool

Build Content Security Policy

Generate CSP headers interactively with all directives, presets, and output for HTTP headers, meta tags, Nginx, Apache, and Express.

Try Tool

Encrypt and Decrypt with AES

Encrypt and decrypt text using AES-CBC or AES-GCM directly in your browser with the Web Crypto API.

Try Tool
Recommended Reading

Recommended Books on Web Security and CORS

Web Application Hacker's Handbook

Web Application Hacker's Handbook

Dafydd Stuttard

The Code Book

The Code Book

Simon Singh

Crypto: How the Code Rebels Beat the Government

Crypto: How the Code Rebels Beat the Government

Steven Levy

As an Amazon Associate we earn from qualifying purchases.

Boost Your Capabilities

Security Tools for Web Developers

YubiKey 5 NFC — Hardware Security Key for MFA

YubiKey 5 NFC — Hardware Security Key for MFA

Yubico

Apricorn Aegis Secure Key — 256-bit AES Encrypted USB Drive

Apricorn Aegis Secure Key — 256-bit AES Encrypted USB Drive

Apricorn

Kingston IronKey Vault — FIPS 197 Certified Encrypted Flash Drive

Kingston IronKey Vault — FIPS 197 Certified Encrypted Flash Drive

Kingston

As an Amazon Associate we earn from qualifying purchases.

Newsletter

Get Free Productivity Tips & New Tools First

Join makers and developers who care about privacy. Every issue: new tool drops, productivity hacks, and insider updates — no spam, ever.

Priority access to new tools
Unsubscribe anytime, no questions asked