Can I use wildcard * for Access-Control-Allow-Origin?

Only for fully public APIs with no authentication. If your API uses cookies, Authorization headers, or any credentials, you must specify an explicit origin. Wildcard with credentials is rejected by browsers.

Do I need to handle OPTIONS separately?

Yes. Browsers send OPTIONS preflight before POST, PUT, DELETE, and any request with custom headers. Your server must return 204 with CORS headers for the actual request to proceed.

What is Access-Control-Max-Age?

It tells browsers how long to cache the preflight response in seconds. Without it, the browser sends OPTIONS before every request. Set to 86400 (24 hours) for most APIs.

CORS Headers Generator — Build Exact Access-Control Headers for Your API

Updated April 2026

CORS headers have to be exactly right — the wrong wildcard, a missing preflight handler, or a credentials mismatch will block requests silently. The generator builds the exact config for your stack in seconds.

Open CORS Header Generator →

What CORS headers your API needs

At minimum, every cross-origin API response needs:

Access-Control-Allow-Origin: https://your-frontend.com
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization

For authenticated requests (cookies, Authorization header), add:

Access-Control-Allow-Credentials: true

Never use Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true — browsers reject this combination. You must specify an explicit origin when using credentials.

Preflight requests — the most common mistake

Browsers send an OPTIONS preflight before any POST, PUT, DELETE, or request with custom headers. Your server must respond to OPTIONS with 204 and the CORS headers — otherwise the actual request never fires.

Nginx

if ($request_method = OPTIONS) { add_header Access-Control-Allow-Origin "https://app.example.com"; add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS"; add_header Access-Control-Allow-Headers "Content-Type, Authorization"; add_header Access-Control-Max-Age 86400; return 204;
}
add_header Access-Control-Allow-Origin "https://app.example.com" always;

Express (Node.js)

const cors = require('cors');
app.use(cors({ origin: 'https://app.example.com', methods: ['GET', 'POST', 'PUT', 'DELETE', 'OPTIONS'], allowedHeaders: ['Content-Type', 'Authorization'], credentials: true, maxAge: 86400
}));
app.options('*', cors()); // Handle preflight

FastAPI (Python)

from fastapi.middleware.cors import CORSMiddleware
app.add_middleware( CORSMiddleware, allow_origins=["https://app.example.com"], allow_methods=["GET", "POST", "PUT", "DELETE", "OPTIONS"], allow_headers=["Content-Type", "Authorization"], allow_credentials=True, max_age=86400,
)

Vercel (vercel.json)

{ "headers": [ { "source": "/api/(.*)", "headers": [ {"key": "Access-Control-Allow-Origin", "value": "https://app.example.com"}, {"key": "Access-Control-Allow-Methods", "value": "GET, POST, OPTIONS"}, {"key": "Access-Control-Allow-Headers", "value": "Content-Type, Authorization"} ] } ]
}

The Vary: Origin header

When your API returns different Access-Control-Allow-Origin values for different origins (dynamic CORS), add Vary: Origin. Without it, CDNs may cache a response for one origin and serve it to another.

add_header Vary Origin always;

Cache the preflight

Access-Control-Max-Age tells browsers how long to cache the preflight response. Without it, the browser sends OPTIONS before every request. Set it to 86400 (24 hours) for most APIs.

Test your CORS config with a live preflight → CORSFixer