CORS Config Generator
Generate CORS snippets from allowed origins, methods, headers, credentials, and preflight settings.
CORS policy
Allowed methods
Summary
PolicyRestricted origin policy
1 warning(s) need review before deployment.
Origins0
Methods3
CredentialsDisabled
PlatformNginx
Notes
- Do not use wildcard origins with credentials; browsers reject that combination.
- Use Vary: Origin when reflecting request origins from a whitelist.
- Treat generated snippets as a starting point and test preflight requests in your real stack.
Warnings
- No allowed origin is configured. Add origins or enable allow all origins.
Generated config
Generated for Nginxmap $http_origin $cors_origin {
default "";
}
location / {
add_header 'Access-Control-Allow-Origin' '$cors_origin' always;
add_header 'Access-Control-Expose-Headers' 'X-Request-Id' always;
add_header 'Vary' 'Origin' always;
if ($request_method = 'OPTIONS') {
add_header 'Access-Control-Allow-Origin' '$cors_origin' always;
add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS' always;
add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization' always;
add_header 'Access-Control-Max-Age' '86400' always;
add_header 'Vary' 'Origin' always;
return 204;
}
proxy_pass http://upstream_app;
}Header preview
| Header | Value |
|---|---|
Access-Control-Allow-Origin | $http_origin |
Access-Control-Allow-Methods | GET, POST, OPTIONS |
Access-Control-Allow-Headers | Content-Type, Authorization |
Access-Control-Max-Age | 86400 |
Access-Control-Expose-Headers | X-Request-Id |
Vary | Origin |