Security

CORS Policy Builder

Build CORS response headers, preflight responses and detect common configuration errors.

Policy templates

Start from a common CORS configuration and adjust it for your application.

Allowed origin

Define the origin that browsers may use when accessing the resource.

Allowed methods

Select the HTTP methods returned in Access-Control-Allow-Methods.

Allowed request headers

Configure headers accepted during cross-origin requests.

Content-TypeAuthorization

Exposed response headers

Define response headers that browser JavaScript may read.

No headers configured.

Credentials and caching

Configure credential support, preflight caching and origin-aware response caching.

Number of seconds a browser may cache a successful preflight response.

No policy issues detected

The current rules did not detect any obvious CORS configuration problems.

Generated CORS headers

Copy the response headers or a complete example preflight response.

Response headers
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Vary: Origin
Preflight response
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Vary: Origin
Content-Length: 0

CORS configuration is generated locally inside your browser. CORS is enforced by browsers and does not replace server-side authentication or authorization.

About this tool

What is CORS Policy Builder?

CORS Policy Builder creates cross-origin response headers and example preflight responses through a visual editor. Configure allowed origins, methods, request headers, exposed response headers, credentials and preflight caching while detecting combinations browsers reject.

Features

Built for fast developer workflows

  • Configure a public or specific allowed origin.
  • Select allowed HTTP methods.
  • Add allowed request headers.
  • Add exposed response headers.
  • Enable credentialed cross-origin requests.
  • Configure Access-Control-Max-Age.
  • Generate Vary: Origin when appropriate.
  • Detect wildcard origins combined with credentials.
  • Detect invalid and comma-separated origins.
  • Warn when allowing the null origin.
  • Validate numeric preflight cache duration.
  • Generate complete CORS response headers.
  • Generate an example HTTP 204 preflight response.
  • Process every policy locally in your browser.

Frequently asked questions

Questions about CORS Policy Builder

What is CORS?

Cross-Origin Resource Sharing is a browser mechanism that allows a server to declare which origins may access a resource from frontend JavaScript.

Can I use * with credentials?

No. Browsers reject a wildcard Access-Control-Allow-Origin value when Access-Control-Allow-Credentials is true.

Can Access-Control-Allow-Origin contain multiple origins?

No. A response must return one matching origin or a wildcard. Servers supporting several origins normally validate the request Origin dynamically.

What is a CORS preflight request?

It is an OPTIONS request sent by the browser to check whether a cross-origin method and its headers are allowed before sending the actual request.

Why should a response include Vary: Origin?

It tells caches that the response may change according to the request Origin, preventing one origin's CORS response from being reused for another.

Does CORS replace authentication?

No. CORS controls browser access to responses. Servers must still authenticate users and authorize every protected operation.

Related tools