cors

Access-Control-Allow-Origin

The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.

Access-Control-Allow-Origin: <origin>  |  *  |  null

Common directives / values

Directive Purpose
* Any origin may read — cannot be combined with Access-Control-Allow-Credentials: true.
<specific origin> Exactly one origin, e.g. 'https://app.example.com' — no wildcards, no port lists.
null Matches responses to requests from sandboxed iframes, file:// URLs, etc.; rarely what you want.

Examples

Access-Control-Allow-Origin: *

Public read-only API (no cookies/auth) — simplest and most cacheable.

Access-Control-Allow-Origin: https://app.example.com\nAccess-Control-Allow-Credentials: true\nVary: Origin

Credentialed API: echo the exact request Origin and always Vary on it.

Access-Control-Allow-Origin: https://admin.example.com

Single trusted UI allowed to hit this endpoint.

Access-Control-Allow-Origin: null

Only matches Origin: null (sandboxed iframes, opaque origins) — usually a security smell.

Gotcha

Access-Control-Allow-Origin: * cannot be used with credentials — the browser will reject the response if Allow-Credentials is also true. Always set Vary: Origin when the value is dynamic, or a CDN will happily serve one origin's response to another.

Related headers

← All HTTP headers · HTTP status codes · Fix CORS errors