CORS Header Generator

Generate safe CORS headers for APIs and web apps

Configure Access-Control-Allow-Origin, methods, request headers, credentials, exposed response headers, preflight cache time, and Vary: Origin. Copy production-friendly snippets for Express, Nginx, Apache, PHP, Fastify, and serverless functions.

Express CORS headers Nginx add_header Preflight OPTIONS Credential safety checks

Quick presets

Header settings

Allowed methods

Generated CORS headers

Access-Control-Allow-Origin https://app.example.com
Access-Control-Allow-Credentials true
Access-Control-Allow-Methods GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers Content-Type, Authorization, X-Requested-With
Access-Control-Expose-Headers X-Request-Id
Access-Control-Max-Age 86400
Vary Origin

Full HTTP Headers

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
Access-Control-Expose-Headers: X-Request-Id
Access-Control-Max-Age: 86400
Vary: Origin

Nginx

add_header Access-Control-Allow-Origin "https://app.example.com" always;
add_header Access-Control-Allow-Credentials "true" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With" always;
add_header Access-Control-Expose-Headers "X-Request-Id" always;
add_header Access-Control-Max-Age "86400" always;
add_header Vary "Origin" always;

Apache / .htaccess

Header always set Access-Control-Allow-Origin "https://app.example.com"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, PATCH, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization, X-Requested-With"
Header always set Access-Control-Expose-Headers "X-Request-Id"
Header always set Access-Control-Max-Age "86400"
Header always set Vary "Origin"

Express / Node.js

res.setHeader('Access-Control-Allow-Origin', 'https://app.example.com');
res.setHeader('Access-Control-Allow-Credentials', 'true');
res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
res.setHeader('Access-Control-Expose-Headers', 'X-Request-Id');
res.setHeader('Access-Control-Max-Age', '86400');
res.setHeader('Vary', 'Origin');

Fastify

reply.header('Access-Control-Allow-Origin', 'https://app.example.com');
reply.header('Access-Control-Allow-Credentials', 'true');
reply.header('Access-Control-Allow-Methods', 'GET, POST, PUT, PATCH, DELETE, OPTIONS');
reply.header('Access-Control-Allow-Headers', 'Content-Type, Authorization, X-Requested-With');
reply.header('Access-Control-Expose-Headers', 'X-Request-Id');
reply.header('Access-Control-Max-Age', '86400');
reply.header('Vary', 'Origin');

Serverless / Worker Response

const body = { ok: true };

return {
  statusCode: 200,
  headers: {
    'Access-Control-Allow-Origin': 'https://app.example.com',
    'Access-Control-Allow-Credentials': 'true',
    'Access-Control-Allow-Methods': 'GET, POST, PUT, PATCH, DELETE, OPTIONS',
    'Access-Control-Allow-Headers': 'Content-Type, Authorization, X-Requested-With',
    'Access-Control-Expose-Headers': 'X-Request-Id',
    'Access-Control-Max-Age': '86400',
    'Vary': 'Origin'
  },
  body: JSON.stringify(body)
};

PHP

header('Access-Control-Allow-Origin: https://app.example.com');
header('Access-Control-Allow-Credentials: true');
header('Access-Control-Allow-Methods: GET, POST, PUT, PATCH, DELETE, OPTIONS');
header('Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With');
header('Access-Control-Expose-Headers: X-Request-Id');
header('Access-Control-Max-Age: 86400');
header('Vary: Origin');

CORS header best practices

Avoid wildcard credentials

Browsers reject * with credentialed requests. Use a specific origin and add Vary: Origin.

Keep methods narrow

Only allow methods your API actually accepts. Include OPTIONS for preflight handling.

Validate dynamic origins

For multi-tenant apps, compare the incoming origin to an allowlist before reflecting it in the response.