CORS Headers Cheat Sheet
Quick reference for every CORS header — what the browser sends, what your server must return, and what each one does.
Request headers (browser → server)
| Header | When sent | Example |
|---|---|---|
| Origin | Every cross-origin request | Origin: https://app.example.com |
| Access-Control-Request-Method | Preflight OPTIONS only | Access-Control-Request-Method: POST |
| Access-Control-Request-Headers | Preflight OPTIONS only | Access-Control-Request-Headers: Authorization, Content-Type |
Response headers (server → browser)
| Header | Required? | Example | Notes |
|---|---|---|---|
| Access-Control-Allow-Origin | Yes | https://app.example.com or * | Cannot use * with credentials |
| Access-Control-Allow-Methods | On preflight | GET, POST, PUT, DELETE, OPTIONS | Must include the requested method |
| Access-Control-Allow-Headers | On preflight | Authorization, Content-Type | Must include requested headers |
| Access-Control-Allow-Credentials | With cookies/auth | true | Only valid with explicit origin, not * |
| Access-Control-Max-Age | Optional | 86400 | Seconds to cache preflight. Default varies by browser. |
| Access-Control-Expose-Headers | Optional | X-Request-ID, X-Rate-Limit | Headers JavaScript can read beyond the safe list |
| Vary | With explicit origins | Origin | Prevents CDN from serving one origin's response to another |
The safe response headers (no Expose-Headers needed)
By default, JavaScript can only read these response headers without Access-Control-Expose-Headers:
- Cache-Control
- Content-Language
- Content-Length
- Content-Type
- Expires
- Last-Modified
- Pragma
To expose other headers (like X-Rate-Limit, X-Request-ID), add them to Access-Control-Expose-Headers.
Minimal working CORS for a public API
Access-Control-Allow-Origin: * Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type
CORS for authenticated API with cookies
Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Credentials: true Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Authorization, Content-Type Access-Control-Max-Age: 86400 Vary: OriginTest your CORS headers live → CORSFixer