security

CORS Reference & Debugger

Interactive guide to Cross-Origin Resource Sharing with config generator.

How CORS Works

language

1. Browser Request

Browser sends request with Origin header

dns

2. Server Response

Server includes Access-Control-* headers

verified

3. Browser Check

Browser checks headers and allows or blocks the response

Allowed Origins

Comma-separated. Use * for all origins (not recommended for production).

Allowed Methods

Allowed Headers

Allow Credentials

Max Age (s):

No 'Access-Control-Allow-Origin' header

The server didn't include CORS headers. Add the appropriate headers to your server configuration.

Credentials flag is true but Access-Control-Allow-Origin is '*'

When using credentials, you can't use wildcard origin. Specify the exact origin instead.

Method not allowed by Access-Control-Allow-Methods

The preflight response doesn't include the request method. Add it to allowed methods.

Request header not allowed

A custom header isn't in Access-Control-Allow-Headers. Add it or use a simple header.