CORS Header Generator

Use '*' to allow all origins (cannot be used with credentials)
0 (no cache)86400 (24 hours)

Generated CORS Headers

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 3600

When to use this generator

  • A browser calls your API from another origin (different scheme, host, or port) and the console shows a CORS or preflight failure.
  • You are writing infra-as-code, nginx, API Gateway, or Lambda config and need the exact header lines to paste.
  • You want to compare a strict setup (named origins, no credentials) vs a dev-only relaxed setup before you lock production.

Real-world example

A React app at https://app.example.com posts JSON with Authorization to https://api.example.com. You allow that origin (not *), include OPTIONS, list Content-Type and Authorization in allow-headers, and set Allow-Credentials: true because you use cookies—this tool outputs the matching header block for you to wire into the server.

Common mistakes

  • * with credentials: browsers reject it; list explicit origins.
  • Missing custom headers (e.g. X-Request-Id) in allow-headers—preflight fails even when GET works.
  • Forgetting OPTIONS on the server route so preflight never returns 204/200 with these headers.

Limitations of this tool

  • It only builds static header text—your framework may need middleware syntax (Express cors(), Spring config, etc.).
  • It does not model dynamic origin allowlists, regex origins, or per-route policies—you must merge that logic yourself.
  • CORS is not a substitute for authn/authz; permissive headers do not make an API safe.

Related Tools

Explore these related free tools to enhance your productivity and workflow.

HTTP Header Generator

Generate HTTP headers

URL Builder

Build URLs

URL Parser

Parse URL components

Query String Parser

Parse query strings

Cookie Parser

Parse and create cookies

JWT Decoder

Decode JWT tokens

Frequently Asked Questions

What are CORS headers?

CORS (Cross-Origin Resource Sharing) headers allow web servers to specify which origins, methods, and headers are allowed when making cross-origin requests. They're essential for enabling API access from web browsers.

How do I generate CORS headers?

Configure the allowed origins (use '*' for all origins), allowed HTTP methods, allowed headers, exposed headers, max age for preflight caching, and whether to allow credentials. The tool generates the complete CORS header set.

What is Access-Control-Allow-Origin?

This header specifies which origins are allowed to access the resource. Use '*' to allow all origins, or specify specific domains like 'https://example.com'. Note: '*' cannot be used with credentials.

What is Access-Control-Allow-Methods?

This header specifies which HTTP methods are allowed for cross-origin requests. Common methods include GET, POST, PUT, DELETE, PATCH, and OPTIONS.

Is the CORS header generator free to use?

Yes! Our CORS header generator is 100% free with no registration required, no usage limits, and no hidden fees. You can generate as many CORS header configurations as you need for your development work.

Are my CORS configurations stored or tracked?

No, all CORS header generation happens locally in your browser. We don't store, save, or have access to any CORS configurations you generate. Your privacy is completely protected.

What's the difference between allowed headers and exposed headers?

Allowed headers specify which headers the client can send in the request. Exposed headers specify which response headers the client can access via JavaScript. Both are important for proper CORS configuration.

Can I use '*' for all origins with credentials?

No! When Access-Control-Allow-Credentials is true, you cannot use '*' for Access-Control-Allow-Origin. You must specify exact origins. This is a security requirement of the CORS specification.

What is Access-Control-Max-Age used for?

Max-Age specifies how long (in seconds) the browser can cache the preflight OPTIONS request response. This reduces the number of preflight requests for subsequent CORS requests. Common values are 3600 (1 hour) or 86400 (24 hours).

Do I need to include OPTIONS in allowed methods?

Yes, OPTIONS is typically included because browsers send an OPTIONS preflight request before the actual request. However, some servers handle OPTIONS automatically, so check your server configuration.

How do I use these headers in my server?

Copy the generated headers and add them to your server's response headers. In Express.js, use cors middleware or set headers manually. In other frameworks, add the headers to your response configuration.