490+ Tools Comprehensive Tools for Webmasters, Developers & Site Optimization

CORS Policy Generator

Generate CORS policy configurations for various frameworks and servers

Use * for all origins (not recommended for production) or specify exact domains
Comma-separated list or * for all headers
Headers that should be exposed to the client
How long preflight request results can be cached
Note: Cannot use credentials with wildcard origin (*)

Understanding CORS

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that controls how resources on a web page can be requested from another domain outside the domain from which the resource originated.

Why CORS Exists

The Same-Origin Policy (SOP) is a critical security mechanism that restricts how documents or scripts from one origin can interact with resources from another origin. CORS provides a way to relax this restriction in a controlled manner.

Same-Origin Policy

Two URLs have the same origin if they have:

  • Same protocol (http vs https)
  • Same domain (example.com vs api.example.com)
  • Same port (80 vs 8080)
Example:
Origin: https://example.com:443
Same origin: https://example.com/api/data
Cross-origin: https://api.example.com/data (different subdomain)

CORS Headers Explained

Access-Control-Allow-Origin

Specifies which origins can access the resource.

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Origin: * (allow all - insecure)

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed when accessing the resource.

Access-Control-Allow-Methods: GET, POST, PUT, DELETE

Access-Control-Allow-Headers

Specifies which HTTP headers can be used during the actual request.

Access-Control-Allow-Headers: Content-Type, Authorization

Access-Control-Expose-Headers

Specifies which headers are safe to expose to the client.

Access-Control-Expose-Headers: X-Custom-Header

Access-Control-Max-Age

Specifies how long preflight request results can be cached.

Access-Control-Max-Age: 3600 (1 hour)

Access-Control-Allow-Credentials

Indicates whether the request can include credentials (cookies, HTTP authentication).

Access-Control-Allow-Credentials: true

CORS Request Types

Simple Requests

Don't trigger a preflight. Must meet all these conditions:

  • Method: GET, HEAD, or POST
  • Headers: Only safe-listed headers (Accept, Content-Type, etc.)
  • Content-Type: application/x-www-form-urlencoded, multipart/form-data, or text/plain

Preflight Requests

Browser sends an OPTIONS request first to check if the actual request is safe to send:

  • Uses methods other than GET, HEAD, or POST
  • Uses custom headers
  • Content-Type other than simple types
Preflight Request: 
OPTIONS /api/data HTTP/1.1
Origin: https://example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type

Security Best Practices

Don't Use Wildcards in Production

Avoid: Access-Control-Allow-Origin: *
This allows any website to make requests to your API, potentially exposing sensitive data.

Specify Exact Origins

Use: Access-Control-Allow-Origin: https://trusted-site.com
Only allow specific, trusted origins.

Credentials and Wildcards

You cannot use wildcards with credentials:

Invalid:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

Validate Origins Server-Side

For multiple allowed origins, maintain a whitelist and validate requests:

allowed_origins = ['https://app1.com', 'https://app2.com']
origin = request.headers.get('Origin')
if origin in allowed_origins:
    response.headers['Access-Control-Allow-Origin'] = origin

Limit Methods and Headers

Only allow methods and headers your API actually uses:

  • Don't use * for headers
  • Only allow necessary HTTP methods
  • Restrict custom headers to required ones

Common CORS Errors

"No 'Access-Control-Allow-Origin' header is present"

Cause: Server didn't send CORS headers
Solution: Configure server to send proper CORS headers

"The CORS protocol does not allow specifying a wildcard with credentials"

Cause: Using * with credentials
Solution: Specify exact origin or remove credentials

"Method not allowed by Access-Control-Allow-Methods"

Cause: HTTP method not in allowed list
Solution: Add the method to Access-Control-Allow-Methods

"Header not allowed by Access-Control-Allow-Headers"

Cause: Custom header not in allowed list
Solution: Add the header to Access-Control-Allow-Headers

Security Warning

Never use in production:

Access-Control-Allow-Origin: *

This allows any website to access your API and potentially steal user data or perform unauthorized actions.

Recommended Settings
Public API (read-only)
  • Origin: * (acceptable)
  • Methods: GET, OPTIONS
  • Credentials: false
Private API
  • Origin: Specific domains
  • Methods: As needed
  • Credentials: true (if needed)
  • Max-Age: 3600 (1 hour)
Testing Tools
  • Browser DevTools (Network tab)
  • curl with -H "Origin: ..."
  • Postman
  • test-cors.org
Quick Reference
Safe-Listed Methods

GET, HEAD, POST

Safe-Listed Headers
  • Accept
  • Accept-Language
  • Content-Language
  • Content-Type (limited values)
Max-Age Recommendations
  • Development: 600 (10 min)
  • Production: 3600 (1 hour)
  • Maximum: 86400 (24 hours)
Encryption Strength Guide Hardening
Hash Identifier Hardening
Password Strength Analyzer Hardening
Secret Pattern Scanner Hardening
SSL Cert Decoder Hardening