CORS Policy Generator — Build Cross-Origin Resource Sharing Rules

🔧 Policy Builder

Allowed origins (one per line, or * for all)

Allowed methods

GET ✕ POST ✕ PUT ✕ DELETE ✕ PATCH ✕ OPTIONS ✕

Allowed headers

Content-Type ✕ Authorization ✕ X-Custom-Header ✕

Max-Age (seconds) for preflight cache

Access-Control-Allow-Credentials

Disabled

📋 Generated Headers

Access-Control-Allow-Origin: https://myapp.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization, X-Custom-Header
Access-Control-Max-Age: 3600

⚙️ Server Config

// Express.js example
app.use(cors({ origin: 'https://myapp.com', methods: ['GET','POST','PUT','DELETE','PATCH','OPTIONS'], allowedHeaders: ['Content-Type','Authorization','X-Custom-Header'], maxAge: 3600 }));

🧪 Preflight Simulator

Origin

Method

Custom headers (comma separated)

⚠️ Common CORS errors & fixes

❌ No 'Access-Control-Allow-Origin'
Add the correct origin or use '*' (not with credentials).

❌ Method not allowed
Include the request method in allowed methods.

❌ Request header field not allowed
Add the custom header to allowed headers.

❌ Credentials + wildcard
Cannot use '*' with credentials. Specify exact origins.