Free CORS Header Generator - Nginx, Apache, Node.js Config

Usage Examples

Open Public API

Allow any origin to make GET and POST requests. Ideal for public APIs that serve data to any website.

Internal App with Auth

Restrict access to specific origins with credentials support. Perfect for internal applications with authentication.

Read-Only API

A read-only API configuration that allows GET requests from any origin and exposes pagination headers.

Features

Full Configuration

Configure all CORS headers including origin, methods, headers, credentials and max-age

Multi-Server Support

Get ready-to-use config snippets for Nginx, Apache, Node.js/Express and PHP

Custom Origins & Headers

Add multiple custom origins and headers with an easy tag-based interface

Privacy First

All processing happens locally in your browser, no data sent to servers

How to Use?

Configure Settings

Set your allowed origins, HTTP methods, headers, max-age and credentials options.

Choose Output Format

Switch between HTTP headers, Nginx, Apache, Node.js or PHP output formats.

Copy & Deploy

Copy the generated configuration and add it to your server setup.

Frequently Asked Questions

The CORS spec forbids it. When credentials (cookies, auth headers) are involved, the server must echo the exact requesting origin, not a wildcard. This prevents credential leaking to arbitrary domains.

Any request using PUT, DELETE, PATCH, or custom headers triggers a preflight OPTIONS request. Simple GET/POST with standard headers skip it. The preflight checks if the server actually allows the operation.

No. Everything runs in your browser. Nothing is sent to a server or stored anywhere.

What Is CORS and Why Does It Exist?

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which domains can make requests to your API. By default, browsers block cross-origin requests - a script on example.com can't call api.otherdomain.com. CORS headers tell the browser "it's okay, I trust this origin." Without proper CORS configuration, your frontend will get opaque "blocked by CORS policy" errors that are notoriously unhelpful.

Why CORS Configuration Is Confusing

CORS has multiple headers that interact in non-obvious ways. Allow-Origin can be a specific domain or *, but not both with credentials. Allow-Methods and Allow-Headers must match what the client sends in preflight. Max-Age controls how long preflight results are cached. Miss any of these and your API calls fail with cryptic errors. This tool lets you configure everything visually and outputs ready-to-paste configs for Nginx, Apache, Node.js, and PHP.

Common CORS Mistakes

The number one mistake is setting Allow-Origin to * while also enabling credentials - the browser will reject this. Second is forgetting to handle OPTIONS preflight requests on the server, causing PUT/DELETE/PATCH to fail. Third is not exposing custom response headers with Expose-Headers, making them invisible to JavaScript. This tool warns you about these issues as you configure.

Preflight Requests Explained

Before sending a "complex" request (anything beyond simple GET/POST with standard headers), the browser sends an OPTIONS request asking "is this allowed?" The server must respond with the appropriate Allow-* headers. If it doesn't, the actual request never fires. The Max-Age header tells the browser how long to cache this preflight response so it doesn't ask again for every request.

Privacy

Your CORS configuration never leaves your browser. No server calls, no storage, no tracking. The tool runs entirely in JavaScript.

Security and Privacy

Your data security is our priority

Local Processing

All processing happens in your browser

No Data Transfer

Your data is not sent to our servers

No Data Storage

No data is stored or shared

SSL Encryption

SSL encryption for secure connection

CORS Header Generator

CORS Configuration

Generated Output