← devnestio
CORS Headers Generator
Origin Settings
Allowed Origins
(one per line, or * for all)
https://example.com
Allow Credentials
Sets Access-Control-Allow-Credentials: true
Allowed Methods
GET
POST
PUT
PATCH
DELETE
HEAD
OPTIONS
Allowed Headers
Content-Type
Authorization
Accept
X-Requested-With
Origin
Cache-Control
Custom Headers
(comma-separated)
Expose & Preflight
Exposed Headers
(readable by JS)
Preflight Max-Age
(seconds, 0 = disable)
Generated Headers Preview
These are the response headers your server should send.
⚠ Using
*
with credentials is invalid per CORS spec. The browser will block the request.
Express.js
nginx
Apache
CF Workers
Raw Headers
Copy