CORS Cheat Sheet
Explains Cross-Origin Resource Sharing headers, preflight requests, server configuration, and common gotchas like credentials plus wildcard.
2 PagesIntermediateFeb 28, 2026
Key CORS Headers
The response headers that control cross-origin access.
- Access-Control-Allow-Origin- Which origin(s) may access the response; '*' or a specific origin
- Access-Control-Allow-Methods- HTTP methods allowed for cross-origin requests
- Access-Control-Allow-Headers- Custom request headers the client is permitted to send
- Access-Control-Allow-Credentials- true if cookies/auth headers may be included; requires a specific origin
- Access-Control-Max-Age- How long (seconds) the browser may cache a preflight response
- Access-Control-Expose-Headers- Response headers beyond the safelisted set that client JS may read
Enabling CORS (Express)
Using the cors middleware, and the manual equivalent.
javascript
const express = require('express');const cors = require('cors');const app = express();// Allow a specific origin with credentialsapp.use(cors({ origin: 'https://app.example.com', methods: ['GET', 'POST', 'PUT', 'DELETE'], allowedHeaders: ['Content-Type', 'Authorization'], credentials: true,}));// Manual version (no library)app.use((req, res, next) => { res.setHeader('Access-Control-Allow-Origin', 'https://app.example.com'); res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE'); res.setHeader('Access-Control-Allow-Credentials', 'true'); if (req.method === 'OPTIONS') return res.sendStatus(204); next();});
Preflight Request Example
The automatic OPTIONS handshake before a non-simple request.
http
# Browser sends this automatically before a "non-simple" request# (e.g. Content-Type: application/json, or custom headers)OPTIONS /api/orders HTTP/1.1Origin: https://app.example.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-type, authorization# Server must respond with matching allowancesHTTP/1.1 204 No ContentAccess-Control-Allow-Origin: https://app.example.comAccess-Control-Allow-Methods: POSTAccess-Control-Allow-Headers: content-type, authorizationAccess-Control-Max-Age: 86400
Common Gotchas
The mistakes that cause most CORS debugging sessions.
- Wildcard + credentials- Access-Control-Allow-Origin: * cannot be combined with Allow-Credentials: true
- Enforced by the browser- CORS doesn't protect your server; server-to-server requests ignore it entirely
- Simple vs preflighted- GET/POST with only safelisted headers/content-types skip the OPTIONS preflight
- Credentials need exact origin- Can't use a wildcard when cookies/Authorization headers are sent cross-origin
- Preflight caching- Max-Age caches the preflight, but browsers cap the effective duration
Pro Tip
CORS errors show up in the browser console but are a client-side restriction only — if the same request works fine via curl or Postman, the fix is missing or incorrect CORS headers on the server, not a network or auth bug.
Was this cheat sheet helpful?
Explore Topics
#CORS#CORSCheatSheet#WebDevelopment#Intermediate#KeyCORSHeaders#EnablingCORSExpress#PreflightRequestExample#CommonGotchas#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech
Professional Web Designing Services
- Responsive Websites
- E-commerce Solutions
- SEO Friendly Design
- Fast & Secure
- Support & Maintenance