Core CORS Response Headers
Use these headers to control which origins, methods, and request headers are allowed.
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: trueExample (Express.js)
app.use((req, res, next) => {
res.setHeader('Access-Control-Allow-Origin', 'https://app.example.com');
res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE,OPTIONS');
res.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');
next();
});Preflight (OPTIONS) Requests
Browsers send an OPTIONS request before certain cross-origin requests.
OPTIONS /api/orders HTTP/1.1
Origin: https://app.example.com
Access-Control-Request-Method: POST
Access-Control-Request-Headers: authorization, content-typeExample Preflight Response
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, OPTIONS
Access-Control-Allow-Headers: Authorization, Content-Type
Access-Control-Max-Age: 600Common CORS Debugging Checks
Verify request origin, credentials mode, and exact header values in browser devtools.
# Inspect response headers quickly
curl -i https://api.example.com/data -H "Origin: https://app.example.com"Common mistakes / Pitfalls
- People often copy a command or pattern without adapting placeholders, which can break production workflows unexpectedly.
- It is easy to forget environment-specific differences, so always verify behavior in your shell, runtime, or API gateway before shipping.
- Many errors come from skipping small validation steps, so test with realistic sample input before relying on the result.
Last updated: February 2026