CORS Policy Builder

Generate CORS headers for Nginx, Apache, Cloudflare, Express, Node, and AWS. Pure client-side.

Comma-separated. Use * for wildcard.
  • Never use * for origins if you allow credentials
  • Use specific origins in production: https://yoursite.com
  • Wildcard * origins work only when credentials are disabled
  • Set a reasonable max-age to avoid excessive preflight requests
Sponsored