Should I use wildcard origin for my public API?

For public APIs without authentication, wildcard is acceptable. If using cookies or auth headers, you must specify exact origins.

CORS Header Checker

Understand Cross-Origin Resource Sharing (CORS), build CORS policies interactively, and generate server configurations. Learn how preflight requests work and debug common CORS errors with the reference guide below.

CORS Policy Builder

Allowed Origins

Allowed Methods

GET POST PUT DELETE PATCH OPTIONS

Allowed Headers

Max Age (seconds)

Allow credentials (cookies, auth headers)
Expose custom response headers

Generated Headers

Nginx Configuration

Express.js (Node.js)

Apache (.htaccess)

What Is CORS?

Cross-Origin Resource Sharing (CORS) is a security mechanism that allows or restricts web pages from making requests to a different domain than the one that served the page. By default, browsers block cross-origin requests (the Same-Origin Policy). CORS headers tell the browser which cross-origin requests are permitted.

CORS is fundamental to modern web development, where frontends and APIs often live on different domains. It is also relevant for network tools — if you are building a dashboard that queries your router's API from a different origin, or using a DNS lookup service, CORS policies determine whether those requests succeed.

CORS Headers Reference

Here is a complete reference of all CORS-related HTTP headers:

Header	Direction	Purpose	Example Value
Access-Control-Allow-Origin	Response	Which origins can access the resource	https://example.com or *
Access-Control-Allow-Methods	Response	Which HTTP methods are allowed	GET, POST, PUT, DELETE
Access-Control-Allow-Headers	Response	Which request headers are allowed	Content-Type, Authorization
Access-Control-Max-Age	Response	How long to cache preflight results	86400 (24 hours)
Access-Control-Allow-Credentials	Response	Whether cookies/auth are included	true
Access-Control-Expose-Headers	Response	Which response headers JS can read	X-Request-Id, X-Total-Count
Origin	Request	The requesting page's origin	https://myapp.com
Access-Control-Request-Method	Request (preflight)	The method the actual request will use	DELETE
Access-Control-Request-Headers	Request (preflight)	Headers the actual request will send	Authorization

Pro Tip: Never use Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true — browsers reject this combination for security reasons. If you need credentials, you must specify the exact origin. Use dynamic origin checking on the server to support multiple origins with credentials. For APIs behind your port-forwarded server, always use specific origins.

How Preflight Requests Work

When a cross-origin request uses methods other than GET/POST or includes custom headers, the browser sends a preflight OPTIONS request first. Understanding this flow is critical for debugging CORS issues:

Step	What Happens	Who Initiates
1. Simple request check	Browser checks if the request qualifies as "simple" (GET/POST with standard headers)	Browser
2. Preflight sent	If not simple, browser sends OPTIONS request with CORS request headers	Browser (automatic)
3. Server responds	Server returns CORS response headers indicating what is allowed	Server
4. Preflight cached	Browser caches the preflight response for Access-Control-Max-Age seconds	Browser
5. Actual request	If preflight approved, browser sends the actual request	Browser
6. Response checked	Browser verifies response headers match preflight approval	Browser

Common CORS Errors and Fixes

CORS errors are among the most confusing issues in web development. Here are the most common ones and how to fix them:

Error: No Access-Control-Allow-Origin header

# Error message:
# "has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header
# is present on the requested resource."

# Fix: Add the header to your server response
# Nginx:
add_header 'Access-Control-Allow-Origin' 'https://yourapp.com' always;

Error: Wildcard origin with credentials

# Error message:
# "The value of the 'Access-Control-Allow-Origin' header must not be '*'
# when the request's credentials mode is 'include'."

# Fix: Use specific origin instead of wildcard
add_header 'Access-Control-Allow-Origin' $http_origin always;
add_header 'Access-Control-Allow-Credentials' 'true' always;

Error: Method not allowed

# Error message:
# "Method DELETE is not allowed by Access-Control-Allow-Methods"

# Fix: Include the method in allowed methods
add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;

For a comprehensive security setup, combine proper CORS with other security headers like CSP and HSTS. Also ensure your API authentication is properly configured.

Note: CORS is enforced by the browser, not the server. Server-side requests (like those from a Node.js backend) are not subject to CORS restrictions. If you are making API calls from your server rather than a browser, CORS headers are irrelevant. However, if your server acts as a reverse proxy for browser clients, you still need to set CORS headers on the proxy response.

CORS Security Best Practices

Misconfigured CORS can expose your API to cross-origin attacks. Follow these guidelines to balance functionality with security, much like how you balance convenience and security on your home network:

Never use wildcard (*) with credentials — Specify exact origins when authentication is involved.
Validate origins server-side — Do not simply reflect the Origin header. Maintain a whitelist of allowed origins.
Minimize allowed methods — Only allow the HTTP methods your API actually uses.
Restrict allowed headers — Only permit headers your API expects.
Use long max-age for caching — Reduce preflight request overhead by caching results (86400 seconds is standard).
Combine with authentication — CORS alone does not replace proper authentication. Use strong API keys or OAuth tokens.
Monitor CORS errors — Log blocked CORS requests to detect misconfigurations or attack attempts.

CORS vs CSP: Understanding the Difference

CORS and Content Security Policy (CSP) are often confused, but they serve different purposes. Understanding both is essential for web security:

Feature	CORS	CSP
Direction	Controls incoming requests to your server	Controls outgoing requests from your page
Enforced by	Browser + server headers	Browser from server-sent policy
Purpose	Allow/block cross-origin API access	Prevent XSS and resource injection
Configuration	Server response headers	Server response header or meta tag
Scope	Fetch/XHR/API requests	All page resources (scripts, styles, images, etc.)

For complete web security, configure both CORS and CSP. See our HTTP Headers Checker and Mixed Content Checker for complementary security tools.

Key Takeaways

CORS controls which origins can access your server's resources from a browser context.
Preflight OPTIONS requests are sent automatically for non-simple cross-origin requests.
Never use wildcard origins with credentials — always specify exact allowed origins.
Set Access-Control-Max-Age to cache preflight results and reduce request overhead.
CORS is browser-enforced — server-to-server requests are not affected by CORS policies.
Combine CORS with CSP and other security headers for comprehensive protection.

Video: CORS Explained

Related Guides

Frequently Asked Questions

Why do I get CORS errors only in the browser?

CORS is a browser security mechanism. When you make the same request from Postman, curl, or a server-side script, there is no CORS check because there is no browser to enforce it. The browser adds the Origin header and enforces the Same-Origin Policy; other HTTP clients do not.

Can I disable CORS in the browser?

You can disable CORS for development using browser flags or extensions, but this is dangerous for security and should never be done in production. The proper fix is always to configure correct CORS headers on your server.

Why does my preflight request fail?

The most common cause is the server not handling OPTIONS requests. Many frameworks route OPTIONS to a 404 by default. Ensure your server returns a 204 response to OPTIONS requests with the correct CORS headers. Check that your server is not requiring authentication for OPTIONS requests.

What is a "simple request" in CORS?

A simple request uses only GET, HEAD, or POST methods with standard headers (Accept, Content-Type with form values, Content-Language). Simple requests do not trigger a preflight — the browser sends them directly and checks CORS headers on the response. Any other combination triggers a preflight.

Should I use Access-Control-Allow-Origin: * for my public API?

For truly public APIs that do not use cookies or authentication, wildcard (*) is acceptable. However, if your API uses any form of authentication (API keys in headers, session cookies), you must use specific origins. Even for public APIs, consider using specific origins for better security.

How do I handle CORS with a reverse proxy?

If your reverse proxy (Nginx, Apache) sits in front of your application, you can add CORS headers at the proxy level instead of in your application code. This centralizes CORS configuration. However, ensure you are not duplicating headers — having the same header set twice can cause issues.

Does CORS protect my API from abuse?

No. CORS only prevents browser-based cross-origin requests. Attackers can bypass CORS entirely using curl, Postman, or any non-browser HTTP client. Always implement proper authentication, rate limiting, and input validation regardless of CORS settings. Use strong API credentials for all protected endpoints.

About Tommy N.

Tommy is the founder of RouterHax and a network engineer with 10+ years of experience in home and enterprise networking. He specializes in router configuration, WiFi optimization, and network security. When not writing guides, he's testing the latest mesh WiFi systems and helping readers troubleshoot their home networks.