CORS Header Generator

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which websites can access your API from a different origin. Without proper CORS headers, browsers block cross-origin requests by default. You need CORS when your frontend (e.g. example.com) calls an API at a different domain (e.g. api.example.com).

Only for public APIs that don't use credentials. Using * with credentials (cookies, Authorization headers) is not allowed by the spec. For authenticated APIs, specify exact origins. Using a wildcard on a public API is safe and convenient.

Simple requests (GET, HEAD, POST with standard content types) are sent directly. Preflight requests (PUT, DELETE, custom headers, non-standard content types) send an OPTIONS request first to check if the actual request is allowed. The server must respond to OPTIONS with appropriate CORS headers for preflight to succeed.

For local development, the fastest fix is configuring your dev server with CORS headers (Express: app.use(cors()), Flask: flask-cors). Alternatively, use a browser extension that temporarily disables CORS, or run a local proxy. Never disable CORS in production — configure it properly on your server instead.

Browsers send an automatic OPTIONS "preflight" request before cross-origin requests that aren't "simple" (e.g. those with custom headers or non-GET/POST methods). The server must respond with the correct CORS headers, and the browser only proceeds if the preflight passes. The Max-Age header caches this check to reduce overhead.