CORS Header Generator
Generate CORS config for Nginx, Apache, Express, Fastify, Flask, Go, or raw headers.
Written by Golam Rabbani, Founder & Lead Engineer
How to use this cors header generator
- List the allowed origins, one per line — use * for any origin, or http(s)://host[:port] for a specific one.
- Tick the HTTP methods your API supports (GET, POST, PUT, PATCH, DELETE, OPTIONS, HEAD).
- Add the request headers clients may send (e.g. Content-Type, Authorization) and any headers you want exposed.
- Set max-age in seconds (browsers cap this — Chromium tops out around 7200) and tick Allow credentials if cookies cross origins.
- Pick a target — Nginx, Apache, Express, Fastify, Flask, Go (rs/cors), or raw HTTP headers — then Generate and Copy.
About this cors header generator
The CORS header generator produces a CORS configuration block for the server or framework you actually use. It handles single-origin, multi-origin (with `Vary: Origin` reflection), and wildcard cases, and switches output mode between server config and framework code — Nginx `add_header`/`if`, Apache `<IfModule mod_headers.c>`, Express `cors()`, Fastify `@fastify/cors`, Flask-CORS, Go rs/cors, or plain HTTP response headers.
When you list more than one origin and the target is Nginx or Apache, the tool emits a small reflection block: the server matches the incoming `Origin` against your allow-list and echoes it back as `Access-Control-Allow-Origin` only on a match, with `Vary: Origin` so caches do not pollute. The well-known footgun — `Access-Control-Allow-Origin: *` together with `Access-Control-Allow-Credentials: true` — produces a warning instead of silently shipping a broken config.
For example, target Nginx with origins `https://app.example.com` + `https://admin.example.com`, methods `GET, POST, OPTIONS`, headers `Content-Type, Authorization`, max-age 600 generates an Nginx block that maps `$cors_origin` from `$http_origin` against the allow-list, emits `add_header Access-Control-Allow-Origin $cors_origin always;`, `add_header Vary "Origin" always;`, the standard Methods/Headers/Max-Age lines, and an `if ($request_method = OPTIONS)` block returning 204 so preflights never reach your application. Everything is built in the browser; nothing is sent anywhere.
FAQ
- Why does the tool warn me about wildcard origin with credentials?
- Browsers reject `Access-Control-Allow-Origin: *` together with `Access-Control-Allow-Credentials: true` — the cookie/auth path requires a specific origin. The warning surfaces a config that would look fine in your editor but would silently fail in the browser. List the real origins instead of using `*`.
- What is the role of Vary: Origin?
- When you allow multiple origins and echo the request `Origin` back, the response varies by Origin. Without `Vary: Origin`, a shared cache (CDN, browser, reverse proxy) might serve the response cached for one origin to a request from a different origin — leaking access. The Nginx and Apache outputs add it for you automatically in multi-origin mode.
- Why does the Nginx output short-circuit OPTIONS with a 204?
- Preflight OPTIONS requests have no body and do not need to reach your application. Returning 204 (No Content) at the proxy layer keeps preflights fast and stops them from filling your logs. The CORS headers are still emitted with the `always` flag so they are present on the 204 response.
- Should I expose any headers?
- Only the response headers you want JavaScript on the client to read. By default browsers only expose a tiny safelist (Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma). If your API returns a custom `X-Request-Id` header you want the client to log, add it to `Access-Control-Expose-Headers`.
- Does the generator send my origin list or config anywhere?
- No. The form is processed in the browser; the rendered config never leaves your device. Closing the tab discards the form contents.
- Is this CORS header generator free to use?
- Yes, it is completely free with no account, no signup, and no usage limits.