Access-Control-Allow-Origin : *Specifies which origins are allowed to access the resource.
Browsers enforce same-origin policy by default. This header relaxes it for trusted origins.
Use specific origin ('https://yourdomain.com') instead of '*' for authenticated resources. Wildcard disables credentials.
Access-Control-Allow-Origin : *Specifies which origins are allowed to access the resource.
Browsers enforce same-origin policy by default. This header relaxes it for trusted origins.
Use specific origin ('https://yourdomain.com') instead of '*' for authenticated resources. Wildcard disables credentials.
CORS Header Explainer
Enter any CORS-related HTTP header name and value to get a plain-English explanation of what it does, why it exists, whether the current value is safe, and what the recommendation is.
Use Cases
- Debugging cross-origin fetch errors in web applications
- Auditing API response headers for security vulnerabilities
- Learning CORS concepts from real header values
Frequently Asked Questions
Why does Access-Control-Allow-Origin: '*' cause issues?
Wildcard origin disables the ability to send credentials (cookies, Authorization headers) with cross-origin requests. It also removes one layer of server-side trust validation.
What is a CORS preflight request?
For non-simple requests, browsers first send an OPTIONS request to ask if the actual request is allowed. The server must respond with appropriate CORS headers.