CORS headers reference
Complete reference for all Cross-Origin Resource Sharing (CORS) HTTP request and response headers with descriptions, default values, and examples.
Complete reference for Cross-Origin Resource Sharing (CORS) HTTP headers used in request and response exchanges between browsers and servers.
CORS Response Headers
Cross-Origin Resource Sharing (CORS) response headers tell the browser whether to permit a cross-origin request. The server sets these headers on responses to both preflight OPTIONS requests and actual requests.
| Header | Description | Default | Example |
|---|---|---|---|
Access-Control-Allow-Origin | Specifies which origin may access the resource. Accepts a single origin URL or the
* wildcard for public resources without credentials. The browser blocks the response if this header is missing or does not match the requesting origin. | Not set (no cross-origin access) | Access-Control-Allow-Origin: https://example.com |
Access-Control-Allow-Methods | Lists the HTTP methods the server permits for cross-origin requests. Returned in the preflight response to tell the browser which methods are acceptable. | Not set | Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS |
Access-Control-Allow-Headers | Lists the HTTP request headers the client may include in the actual cross-origin request. Returned in the preflight response. The
Authorization header must be listed explicitly and does not respond to the
* wildcard when credentials are used. | Not set | Access-Control-Allow-Headers: Content-Type, Authorization, X-Requested-With |
Access-Control-Allow-Credentials | Indicates whether the browser should include cookies, TLS client certificates, or HTTP authentication headers in the cross-origin request. Must be
true when the client sets
credentials: 'include' on the Fetch request. Cannot be combined with
Access-Control-Allow-Origin: *. | false | Access-Control-Allow-Credentials: true |
Access-Control-Max-Age | Specifies the number of seconds the browser may cache the preflight response. Caching avoids repeated OPTIONS requests for the same resource. Values vary by browser; Chrome caps at 7200 seconds (2 hours). | 5 (seconds, in most browsers) | Access-Control-Max-Age: 86400 |
Access-Control-Expose-Headers | Lists response headers that JavaScript may read beyond the CORS-safe-listed headers (
Cache-Control,
Content-Language,
Content-Length,
Content-Type,
Expires,
Pragma). Without this header, the browser hides non-safe-listed response headers from client-side code. | Only CORS-safe-listed headers exposed | Access-Control-Expose-Headers: X-Request-Id, X-RateLimit-Remaining |
CORS Request Headers
Cross-Origin Resource Sharing (CORS) request headers are set automatically by the browser during preflight OPTIONS requests. Application code does not set these headers directly.
| Header | Description | When Sent | Example |
|---|---|---|---|
Origin | Identifies the scheme, hostname, and port of the page that initiated the cross-origin request. The browser includes this header on all cross-origin requests, including both simple requests and preflight requests. | All cross-origin requests | Origin: https://app.example.com |
Access-Control-Request-Method | Indicates the HTTP method the browser will use for the actual request. Sent only in the preflight OPTIONS request. | Preflight only | Access-Control-Request-Method: PUT |
Access-Control-Request-Headers | Lists the custom headers the browser will include in the actual request. Sent only in the preflight OPTIONS request when the request uses non-standard headers. | Preflight only | Access-Control-Request-Headers: Content-Type, Authorization |