Can I use wildcard origin with credentials?
No. That combination is unsafe, and the tool calls it out because browsers and servers need a tighter policy.
DevToolkit
CORS Header Generator / Checker
Browser only
CORS Header Generator / Checker
Build CORS headers and platform snippets locally in your browser, then check for wildcard origin, credentials, preflight, and dynamic origin issues before you copy anything into production.
Allowed methodsSelect the methods your API or app needs to accept.
This helper runs entirely in your browser and does not upload the policy you type here.
Deep dive
More context for CORS Header Generator / Checker
Useful when you want to shape a browser-safe CORS policy before you wire it into an API, proxy, or edge function.
Overview
What is this tool?
It builds CORS response headers and platform snippets locally in your browser, then best-effort checks wildcard origins, credentials, preflight settings, and dynamic-origin cases that can break in production.
Output
Example output
Raw headers
Access-Control-Allow-Origin: <dynamic request origin> Vary: Origin Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With Access-Control-Expose-Headers: X-Request-Id, X-RateLimit-Remaining Access-Control-Allow-Credentials: true Access-Control-Max-Age: 172800
Nginx map block
map $http_origin $cors_allow_origin {
default "";
"https://app.example.com" $http_origin;
"https://admin.example.com" $http_origin;
}
location / {
add_header Access-Control-Allow-Origin $cors_allow_origin always;
add_header Vary "Origin" always;
}Express middleware
function corsMiddleware(req, res, next) {
const origin = req.headers.origin;
if (origin && allowedOrigins.includes(origin)) {
res.setHeader("Access-Control-Allow-Origin", origin);
res.setHeader("Vary", "Origin");
}
next();
}When to use it
Common use cases
- Check a browser API policy before you paste headers into a proxy or framework config.
- Generate a starter config for Nginx, Caddy, Express.js, Cloudflare Workers, or Next.js headers.
- Review wildcard origin, credentials, and preflight behavior before you deploy a public endpoint.
Navigation
Explore related workflows
Keep moving through the collection, workflow, and adjacent tools that usually belong with this page.
Part of collection
Jump to the broader tool set that covers the same problem space.
Related workflow
Continue with the tool chain that usually goes together here.
Debug website headers and CORS
Parse response headers, review security protections, generate CORS snippets, and prepare redirect rules for web apps.
Related tools
Open the closest adjacent tools without leaving the current context.
Answers
FAQ
Why do multiple origins need dynamic handling?
A CORS response can only send one Access-Control-Allow-Origin value. When you allow more than one origin, the server usually has to echo the request Origin dynamically.
Should the client also change its fetch settings?
Yes. If you enable credentials, the browser request also has to opt in with credentials or withCredentials.
Does it replace backend CORS logic?
No. It is a best-effort helper that gives you a starting point, but you still need to verify the behavior in your actual browser, backend, and proxy stack.
Disclaimer
Disclaimer / limitation note
This is a best-effort CORS helper, not a full browser, backend, or proxy validator. CORS behavior depends on the browser, the server framework, reverse proxies, caching layers, and preflight handling. Review origin, credentials, and preflight behavior carefully before you ship a production policy, and do not rely on wildcard origin plus credentials to fix a fast-moving error. All generation and checking happen locally in your browser and are not uploaded to a server.
Privacy
Privacy note
All parsing and generation happen locally in your browser. No backend request is made, no policy text is uploaded, and DevToolkit does not store the values you enter here.