How do I use CORS Header Generator?

Simply enter your data, click the process button, and get instant results. All processing happens in your browser for maximum privacy and security.

Is CORS Header Generator free?

Yes! CORS Header Generator is completely free to use with no registration required. All processing is done client-side in your browser.

Absolutely! All processing happens locally in your browser. Your data never leaves your device, ensuring complete privacy and security.

Cors Header Generator - Free Online Tool

Last updated March 22, 2026

CORS Header Generator Examples

The CORS Header Generator creates the correct Access-Control headers for your server. Below are examples for common CORS configurations across different server environments.

Public API — Allow All Origins

For a public read-only API with no authentication:

Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Content-Type

Note: Never use * with Access-Control-Allow-Credentials: true.

Private API — Specific Origin with Credentials

For an authenticated API used by a single-page application:

Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 86400

Multiple Allowed Origins (Dynamic)

Server-side logic to allow a whitelist of origins:

// Express.js
const allowedOrigins = ['https://app.example.com', 'https://admin.example.com'];

app.use((req, res, next) => {
  const origin = req.headers.origin;
  if (allowedOrigins.includes(origin)) {
    res.setHeader('Access-Control-Allow-Origin', origin);
    res.setHeader('Vary', 'Origin');
  }
  res.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE, OPTIONS');
  res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
  res.setHeader('Access-Control-Allow-Credentials', 'true');
  if (req.method === 'OPTIONS') return res.sendStatus(204);
  next();
});

Express.js — cors Package

const cors = require('cors');

app.use(cors({
  origin: 'https://app.example.com',
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true,
  maxAge: 86400
}));

nginx Configuration

location /api/ {
    if ($request_method = 'OPTIONS') {
        add_header 'Access-Control-Allow-Origin' 'https://app.example.com';
        add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS';
        add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization';
        add_header 'Access-Control-Allow-Credentials' 'true';
        add_header 'Access-Control-Max-Age' 86400;
        add_header 'Content-Length' 0;
        return 204;
    }

    add_header 'Access-Control-Allow-Origin' 'https://app.example.com';
    add_header 'Access-Control-Allow-Credentials' 'true';
}

Apache .htaccess

Header always set Access-Control-Allow-Origin "https://app.example.com"
Header always set Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"
Header always set Access-Control-Allow-Headers "Content-Type, Authorization"
Header always set Access-Control-Allow-Credentials "true"
Header always set Access-Control-Max-Age "86400"

RewriteEngine On
RewriteCond %{REQUEST_METHOD} OPTIONS
RewriteRule ^(.*)$ $1 [R=204,L]

Spring Boot (Java)

@Configuration
public class CorsConfig implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/api/**")
            .allowedOrigins("https://app.example.com")
            .allowedMethods("GET", "POST", "PUT", "DELETE", "OPTIONS")
            .allowedHeaders("Content-Type", "Authorization")
            .allowCredentials(true)
            .maxAge(86400);
    }
}

Exposing Custom Response Headers

If your API returns custom headers that JavaScript needs to read:

Access-Control-Expose-Headers: X-Total-Count, X-Request-Id, X-Rate-Limit-Remaining

Preflight Request Flow

These methods and headers trigger a preflight OPTIONS request:

Methods: PUT, DELETE, PATCH (GET and POST are simple)
Headers: Authorization, Content-Type: application/json, any custom header
The browser sends OPTIONS first, checks the response, then sends the real request
Access-Control-Max-Age caches the preflight result to reduce round trips

Common Use Cases

Configuring a REST API to accept requests from a React/Vue/Angular SPA
Setting up CORS for a microservice behind an API gateway
Allowing a third-party widget to call your API from any origin
Restricting API access to specific trusted frontend domains
Enabling cookie-based authentication in cross-origin requests

Generate the exact headers for your use case and get ready-to-use configuration for nginx, Apache, Express, Spring Boot, and other platforms.

CORS Header Generator Free Online Tool 2026

Use CORS Header Generator