Skip to content
uxTools
Developer

CORS Tester & Generator

5 tabs (Header Builder / Preflight Simulator / Analyze Response / Live Test / Reference). 10 snippet formats (raw HTTP, Express, Next.js, Nginx, Apache, FastAPI, Flask, Spring Boot, Caddy). Best-practice validator, visual preflight flow with step-by-step rule checks, real fetch-based live testing.

Quick recipes

Load a sensible baseline for a common scenario, then tweak.

CORS configuration

Build the Access-Control-Allow-* response headers your server should send.

Access-Control-Allow-Origin

Wildcard — allows every origin. Cannot be combined with credentials.

Access-Control-Allow-Methods
Access-Control-Allow-Headers

Comma-separated list. Browser-controlled headers (Cookie, Origin, Host…) are ignored if listed.

Access-Control-Expose-Headers

Response headers JS can read. Safelisted ones (Content-Type, Cache-Control, etc.) are always readable.

Access-Control-Allow-CredentialsAllow cookies and Authorization to be sent. Requires an explicit origin (no wildcard).
Access-Control-Max-Age (seconds)

Chrome caps at 7200s, Firefox at 86400s, Safari at 600s.

Generated headers

Pick a format and drop it into your server, edge or middleware.

Format
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type
Access-Control-Max-Age: 600
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type
Access-Control-Max-Age: 600

Best-practice review

Common CORS pitfalls and spec conflicts.

Looks good. No common CORS issues detected.