CORS Configuration Generator
Generate Cross-Origin Resource Sharing configurations for Express, Nginx, Apache, and other platforms.
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Max-Age: 86400
How to Use the CORS Configuration Generator
- Select your target platform (Express.js, Nginx, Apache, Flask, etc.).
- Configure allowed origins, methods, and headers for your API.
- Set options like credentials support, max-age for preflight caching, and exposed headers.
- Copy the generated configuration and add it to your server setup.
What is CORS (Cross-Origin Resource Sharing)?
CORS is a browser security mechanism that controls how web pages in one origin can request resources from a different origin. The Same-Origin Policy (SOP) blocks cross-origin requests by default, and CORS provides a controlled way to relax this restriction. When a browser makes a cross-origin request, the server must respond with the appropriate Access-Control-Allow-* headers to indicate that the request is permitted. For simple requests (GET, POST with standard content types), the browser sends the request directly and checks the Access-Control-Allow-Origin header in the response. For complex requests (PUT, DELETE, custom headers, or non-standard content types), the browser first sends a preflight OPTIONS request to check if the actual request is allowed. The server must respond to the preflight with the correct CORS headers before the browser proceeds with the actual request. CORS misconfiguration is a common web vulnerability. Reflecting the Origin header directly as Access-Control-Allow-Origin with Access-Control-Allow-Credentials: true is dangerous, as it allows any website to make authenticated requests to your API. Using wildcard (*) for Allow-Origin while also allowing credentials is another frequent mistake. During security assessments, always test CORS by sending requests with different Origin headers and checking if the server blindly reflects them. Properly configure CORS with an explicit whitelist of trusted origins.
Frequently Asked Questions
A preflight is an OPTIONS request the browser sends before the actual request when the request is 'complex' (uses PUT/DELETE, custom headers, or non-standard content types). The server must respond with Access-Control-Allow-Methods and Access-Control-Allow-Headers to authorize the actual request. Use Access-Control-Max-Age to cache preflight responses and reduce latency.
If your server copies the incoming Origin header into Access-Control-Allow-Origin while also setting Access-Control-Allow-Credentials: true, any website can make authenticated requests to your API using the user's cookies. This effectively bypasses the Same-Origin Policy and can lead to data theft. Always validate origins against an explicit whitelist.
No. Browsers enforce that Access-Control-Allow-Origin cannot be * when Access-Control-Allow-Credentials is true. If you need to support credentials (cookies, authorization headers), you must specify exact origin values. Some servers incorrectly implement this by reflecting the request Origin, which creates a security vulnerability.