CORS Policy Generator

Understanding CORS

Cross-Origin Resource Sharing (CORS) is a security feature implemented by web browsers that controls how resources on a web page can be requested from another domain outside the domain from which the resource originated.

Why CORS Exists

The Same-Origin Policy (SOP) is a critical security mechanism that restricts how documents or scripts from one origin can interact with resources from another origin. CORS provides a way to relax this restriction in a controlled manner.

Same-Origin Policy

Two URLs have the same origin if they have:

• Same protocol (http vs https)
• Same domain (example.com vs api.example.com)
• Same port (80 vs 8080)

CORS Headers Explained

Access-Control-Allow-Origin

Specifies which origins can access the resource.

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed when accessing the resource.

Access-Control-Allow-Headers

Specifies which HTTP headers can be used during the actual request.

Access-Control-Expose-Headers

Specifies which headers are safe to expose to the client.

Access-Control-Max-Age

Specifies how long preflight request results can be cached.

Access-Control-Allow-Credentials

Indicates whether the request can include credentials (cookies, HTTP authentication).

CORS Request Types

Simple Requests

Don't trigger a preflight. Must meet all these conditions:

• Method: GET, HEAD, or POST
• Headers: Only safe-listed headers (Accept, Content-Type, etc.)
• Content-Type: application/x-www-form-urlencoded, multipart/form-data, or text/plain

Preflight Requests

Browser sends an OPTIONS request first to check if the actual request is safe to send:

• Uses methods other than GET, HEAD, or POST
• Uses custom headers
• Content-Type other than simple types

OPTIONS /api/data HTTP/1.1
Origin: https://example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: Content-Type

Security Best Practices

Don't Use Wildcards in Production

Specify Exact Origins

Credentials and Wildcards

You cannot use wildcards with credentials:

Validate Origins Server-Side

For multiple allowed origins, maintain a whitelist and validate requests:

allowed_origins = ['https://app1.com', 'https://app2.com']
origin = request.headers.get('Origin')
if origin in allowed_origins:
    response.headers['Access-Control-Allow-Origin'] = origin

Limit Methods and Headers

Only allow methods and headers your API actually uses:

• Don't use * for headers
• Only allow necessary HTTP methods
• Restrict custom headers to required ones

Common CORS Errors

"No 'Access-Control-Allow-Origin' header is present"

Cause: Server didn't send CORS headers
Solution: Configure server to send proper CORS headers

"The CORS protocol does not allow specifying a wildcard with credentials"

Cause: Using * with credentials
Solution: Specify exact origin or remove credentials

"Method not allowed by Access-Control-Allow-Methods"

Cause: HTTP method not in allowed list
Solution: Add the method to Access-Control-Allow-Methods

"Header not allowed by Access-Control-Allow-Headers"

Cause: Custom header not in allowed list
Solution: Add the header to Access-Control-Allow-Headers