cors
Access-Control-Allow-Origin
The core CORS response header: names the single origin (or *) permitted to read this response from client-side JavaScript. If missing or non-matching, the browser blocks the response from the calling script.
Access-Control-Allow-Origin: <origin> | * | null Common directives / values
| Directive | Purpose |
|---|---|
| * | Any origin may read — cannot be combined with Access-Control-Allow-Credentials: true. |
| <specific origin> | Exactly one origin, e.g. 'https://app.example.com' — no wildcards, no port lists. |
| null | Matches responses to requests from sandboxed iframes, file:// URLs, etc.; rarely what you want. |
Examples
Access-Control-Allow-Origin: * Public read-only API (no cookies/auth) — simplest and most cacheable.
Access-Control-Allow-Origin: https://app.example.com\nAccess-Control-Allow-Credentials: true\nVary: Origin Credentialed API: echo the exact request Origin and always Vary on it.
Access-Control-Allow-Origin: https://admin.example.com Single trusted UI allowed to hit this endpoint.
Access-Control-Allow-Origin: null Only matches Origin: null (sandboxed iframes, opaque origins) — usually a security smell.
Gotcha
Access-Control-Allow-Origin: * cannot be used with credentials — the browser will reject the response if Allow-Credentials is also true. Always set Vary: Origin when the value is dynamic, or a CDN will happily serve one origin's response to another.
Related headers
Access-Control-Allow-Credentials
Signals that the response may be shared with the requesting origin even when the request was made with credentials (cookies, HTTP auth, or client TLS certs). The only legal value is the literal string 'true'.
Access-Control-Allow-Methods
Sent in the preflight (OPTIONS) response to list which HTTP methods the actual cross-origin request may use. Cached by the browser according to Access-Control-Max-Age.
Access-Control-Allow-Headers
Preflight response listing which request headers the actual request is allowed to send. Required whenever the client sends any non-CORS-safelisted header such as Authorization or a custom X-* header.
Vary
Tells caches which request headers were used for content negotiation, so they know to store and serve separate variants keyed by those headers. Missing or wrong Vary causes users to see cached content meant for someone else (wrong language, encoding, or device).
Access-Control-Expose-Headers
Lists response headers that the browser will expose to client JavaScript across origins. By default only a small CORS-safelisted set (Cache-Control, Content-Language, Content-Length, Content-Type, Expires, Last-Modified, Pragma) is readable.