Build CORS headers, generate server configs, and understand preflight requests.
What is CORS?
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that restricts web pages from making requests to a different origin (domain, protocol, or port) than the one serving the page. The server must explicitly allow cross-origin requests via HTTP headers.
Simple requests (GET, HEAD, POST with standard headers) go directly. Preflight requests (OPTIONS) are sent first for non-simple requests to check if the server allows them.
Configure CORS Headers
Use * for any origin (not recommended with credentials). Comma-separate multiple origins.
Headers the client is allowed to send. Separate with commas.
How long preflight results are cached (86400 = 24h)
Headers the browser is allowed to read from the response
Header Preview
Server Configuration
Preflight Request Explainer
When does a preflight happen?
A preflight OPTIONS request is sent when the actual request:
- Uses a method other than GET, HEAD, or POST
- Includes headers beyond Accept, Accept-Language, Content-Language, Content-Type (with values other than application/x-www-form-urlencoded, multipart/form-data, text/plain)
- Includes custom headers like Authorization, X-Requested-With
Preflight flow:
1. Browser sends OPTIONS request with Access-Control-Request-Method and Access-Control-Request-Headers
2. Server responds with allowed methods, headers, and max-age
3. If allowed, browser sends the actual request
4. Preflight results are cached for Access-Control-Max-Age seconds
Common pitfalls:
- Using * for origin with credentials:true does NOT work
- Missing OPTIONS handler returns 405 Method Not Allowed
- Some proxies strip CORS headers
- Wildcards in Allow-Headers/Methods don't work in all browsers