CORS Configuration Tester

Request Builder

Custom Headers (JSON)

{"Content-Type": "application/json"}

Due to browser security, requests are sent from the current origin (). To simulate a different origin, use the Header Analyzer tab.

Response

Send a request to see the response and CORS analysis.

Server Recipes

Quick snippets to properly configure CORS on common backends.

Express (Node.js)

const cors = require('cors');
app.use(cors({
  origin: 'https://client.example.com',
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization'],
  credentials: true
}));

Nginx

location /api/ {
  if ($request_method = 'OPTIONS') {
    add_header 'Access-Control-Allow-Origin' 'https://client.example.com';
    add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';
    add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization';
    add_header 'Access-Control-Max-Age' 1728000;
    add_header 'Content-Type' 'text/plain; charset=utf-8';
    add_header 'Content-Length' 0;
    return 204;
  }
  add_header 'Access-Control-Allow-Origin' 'https://client.example.com' always;
  add_header 'Access-Control-Allow-Credentials' 'true' always;
}

Spring Boot (Java)

@Configuration
public class WebConfig implements WebMvcConfigurer {
    @Override
    public void addCorsMappings(CorsRegistry registry) {
        registry.addMapping("/**")
            .allowedOrigins("https://client.example.com")
            .allowedMethods("GET", "POST", "PUT", "DELETE")
            .allowedHeaders("*")
            .allowCredentials(true);
    }
}

Django (Python)

# Install django-cors-headers
INSTALLED_APPS = [
    ...,
    'corsheaders',
]
MIDDLEWARE = [
    'corsheaders.middleware.CorsMiddleware',
    ...,
]
CORS_ALLOWED_ORIGINS = [
    "https://client.example.com",
]
CORS_ALLOW_CREDENTIALS = True