Security
Content Security Policy Builder
Build and review Content-Security-Policy headers with visual directives and security warnings.
Security
Build CORS response headers, preflight responses and detect common configuration errors.
Start from a common CORS configuration and adjust it for your application.
Define the origin that browsers may use when accessing the resource.
Select the HTTP methods returned in Access-Control-Allow-Methods.
Configure headers accepted during cross-origin requests.
Content-TypeAuthorizationDefine response headers that browser JavaScript may read.
No headers configured.
Configure credential support, preflight caching and origin-aware response caching.
Number of seconds a browser may cache a successful preflight response.
The current rules did not detect any obvious CORS configuration problems.
Copy the response headers or a complete example preflight response.
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Vary: OriginHTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400
Vary: Origin
Content-Length: 0CORS configuration is generated locally inside your browser. CORS is enforced by browsers and does not replace server-side authentication or authorization.
About this tool
CORS Policy Builder creates cross-origin response headers and example preflight responses through a visual editor. Configure allowed origins, methods, request headers, exposed response headers, credentials and preflight caching while detecting combinations browsers reject.
Features
Frequently asked questions
Cross-Origin Resource Sharing is a browser mechanism that allows a server to declare which origins may access a resource from frontend JavaScript.
No. Browsers reject a wildcard Access-Control-Allow-Origin value when Access-Control-Allow-Credentials is true.
No. A response must return one matching origin or a wildcard. Servers supporting several origins normally validate the request Origin dynamically.
It is an OPTIONS request sent by the browser to check whether a cross-origin method and its headers are allowed before sending the actual request.
It tells caches that the response may change according to the request Origin, preventing one origin's CORS response from being reused for another.
No. CORS controls browser access to responses. Servers must still authenticate users and authorize every protected operation.
Related tools
Security
Build and review Content-Security-Policy headers with visual directives and security warnings.
API
Build cURL commands and Fetch API code from structured HTTP requests.
Development
Search HTTP response codes and understand what each status means.