DevToolbox

CORS Header Builder

Configure allowed origins, methods, headers, and credentials with live header output.

About This Tool

The CORS Header Builder is a free browser-based tool that helps you generate correct Access-Control-* HTTP response headers without memorizing the spec. Cross-Origin Resource Sharing (CORS) is the mechanism that lets browsers make requests across different domains safely. Misconfigured CORS headers are one of the most common sources of frustrating frontend errors — and one of the easiest to prevent with the right tooling.

This builder gives you a visual form to configure every CORS-related header: Access-Control-Allow-Origin (wildcard, specific origin list, or regex), Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Expose-Headers, Access-Control-Max-Age, and Access-Control-Allow-Credentials. As you toggle options the output updates in real time, so you can see exactly what your server needs to send. The tool also warns you about common mistakes such as using credentials: true with a wildcard origin — a combination that browsers silently reject.

Output is available in five formats: raw HTTP headers, Nginx add_header directives, Apache .htaccess rules, Express.js cors middleware options, and Next.js next.config.js headers. If you are setting up a Content Security Policy alongside your CORS headers, try the CSP Header Generator. For a deeper dive into all response headers your server sends, the HTTP Header Analyzer can parse and explain them. And if you are writing full Nginx server blocks, the Nginx Config Generator covers reverse proxy, SSL, and caching directives too.

A built-in preflight simulation shows the OPTIONS request a browser would send and the expected response, helping you verify your configuration before deploying. Four presets — Open API, Same-Site Only, Specific Origins, and CDN — let you start from a sensible baseline and customize from there.

All processing happens entirely in your browser. No data is transmitted to any server, making it safe to use with internal API URLs and production domains.

How to Use

  1. Choose an Origin Mode — wildcard (*), specific origins, or a regex pattern — from the dropdown.
  2. If you selected specific origins, type each allowed origin (e.g. https://app.example.com) and press Enter or click + to add it to the list.
  3. Toggle the HTTP methods your API supports by clicking the method buttons (GET, POST, PUT, etc.).
  4. Select the allowed request headers from the common-headers grid and add any custom headers in the text input below.
  5. Optionally enter exposed headers so the browser can read non-standard response headers, set a Max-Age for preflight caching, and toggle Credentials if your API uses cookies or auth headers.
  6. Choose an output format — Raw Headers, Nginx, Apache, Express.js, or Next.js — and review the generated config.
  7. Click Copy or press Ctrl+Shift+C to copy the output to your clipboard. Use Show Preflight Simulation to verify the OPTIONS request/response pair.

Popular CORS Header Examples

View all CORS header examples →

FAQ

What is CORS and why do I need it?

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that blocks web pages from making requests to a different domain unless the server explicitly allows it via Access-Control-* response headers. Without the correct headers, fetch and XMLHttpRequest calls from a different origin will fail with a CORS error in the browser console.

Can I use a wildcard (*) origin with credentials?

No. The CORS specification states that when Access-Control-Allow-Credentials is true, the Access-Control-Allow-Origin header must echo the exact requesting origin — not a wildcard. Browsers will silently reject the response if you combine * with credentials. The tool warns you about this configuration.

What is a preflight request?

A preflight request is an automatic OPTIONS request the browser sends before the actual request when the request uses a non-simple method (e.g., PUT, DELETE), sends custom headers, or uses a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. The server must respond with the correct Access-Control-Allow-* headers for the actual request to proceed.

How does Access-Control-Max-Age work?

Access-Control-Max-Age tells the browser how many seconds it can cache the preflight response. During this window, the browser skips the OPTIONS request for identical cross-origin requests, reducing latency. A value of 86400 (24 hours) is common for stable APIs.

What is the Vary: Origin header for?

When Access-Control-Allow-Origin reflects a specific origin rather than *, intermediate caches could serve a response meant for one origin to a different origin. Adding Vary: Origin tells caches to key on the Origin request header, preventing this mismatch.

Is my data safe?

Yes. All header generation runs entirely in your browser using JavaScript. No data — including your origin URLs or API paths — is sent to any server. You can verify this by checking the Network tab in your browser's developer tools while using the tool.

Which output format should I use?

Choose the format that matches your server or framework. Use Raw Headers for manual configuration or debugging, Nginx for nginx.conf or sites-available, Apache for .htaccess, Express.js for Node.js backends using the cors npm package, and Next.js for the headers() config in next.config.js.

Related Tools

CSP Header Generator

Build Content Security Policy headers visually with directive presets and real-time policy output.

HTTP Header Analyzer

Fetch and analyze HTTP response headers for any URL. Check security headers, caching, CORS, and more.

Nginx Config Generator

Generate Nginx server blocks visually. Configure reverse proxy, SSL, static files, and redirects with a GUI.

Content-Type Header Builder

Build Content-Type headers with the correct MIME type, charset, and boundary parameters. Copy as header or curl flag.

HTTP Status Codes

Browse, search, and learn about all HTTP status codes with detailed explanations.

Cache-Control Builder

Build Cache-Control headers visually with toggle switches for every directive, duration presets, and server config snippets.

HTTP/2 vs HTTP/3 Comparison

Side-by-side comparison of HTTP/1.1, HTTP/2, and HTTP/3 protocols with feature details, performance characteristics, and migration guides.