100% Free Forever
AI-Powered Learning
Industry Expert Content
Certificates & Badges
Learn At Your Own Pace

CORS Cheat Sheet

CORS Cheat Sheet

Explains Cross-Origin Resource Sharing headers, preflight requests, server configuration, and common gotchas like credentials plus wildcard.

2 PagesIntermediateFeb 28, 2026

Key CORS Headers

The response headers that control cross-origin access.

  • Access-Control-Allow-Origin- Which origin(s) may access the response; '*' or a specific origin
  • Access-Control-Allow-Methods- HTTP methods allowed for cross-origin requests
  • Access-Control-Allow-Headers- Custom request headers the client is permitted to send
  • Access-Control-Allow-Credentials- true if cookies/auth headers may be included; requires a specific origin
  • Access-Control-Max-Age- How long (seconds) the browser may cache a preflight response
  • Access-Control-Expose-Headers- Response headers beyond the safelisted set that client JS may read

Enabling CORS (Express)

Using the cors middleware, and the manual equivalent.

javascript
const express = require('express');const cors = require('cors');const app = express();// Allow a specific origin with credentialsapp.use(cors({  origin: 'https://app.example.com',  methods: ['GET', 'POST', 'PUT', 'DELETE'],  allowedHeaders: ['Content-Type', 'Authorization'],  credentials: true,}));// Manual version (no library)app.use((req, res, next) => {  res.setHeader('Access-Control-Allow-Origin', 'https://app.example.com');  res.setHeader('Access-Control-Allow-Methods', 'GET,POST,PUT,DELETE');  res.setHeader('Access-Control-Allow-Credentials', 'true');  if (req.method === 'OPTIONS') return res.sendStatus(204);  next();});

Preflight Request Example

The automatic OPTIONS handshake before a non-simple request.

http
# Browser sends this automatically before a "non-simple" request# (e.g. Content-Type: application/json, or custom headers)OPTIONS /api/orders HTTP/1.1Origin: https://app.example.comAccess-Control-Request-Method: POSTAccess-Control-Request-Headers: content-type, authorization# Server must respond with matching allowancesHTTP/1.1 204 No ContentAccess-Control-Allow-Origin: https://app.example.comAccess-Control-Allow-Methods: POSTAccess-Control-Allow-Headers: content-type, authorizationAccess-Control-Max-Age: 86400

Common Gotchas

The mistakes that cause most CORS debugging sessions.

  • Wildcard + credentials- Access-Control-Allow-Origin: * cannot be combined with Allow-Credentials: true
  • Enforced by the browser- CORS doesn't protect your server; server-to-server requests ignore it entirely
  • Simple vs preflighted- GET/POST with only safelisted headers/content-types skip the OPTIONS preflight
  • Credentials need exact origin- Can't use a wildcard when cookies/Authorization headers are sent cross-origin
  • Preflight caching- Max-Age caches the preflight, but browsers cap the effective duration
Pro Tip

CORS errors show up in the browser console but are a client-side restriction only — if the same request works fine via curl or Postman, the fix is missing or incorrect CORS headers on the server, not a network or auth bug.

Was this cheat sheet helpful?

Explore Topics

#CORS#CORSCheatSheet#WebDevelopment#Intermediate#KeyCORSHeaders#EnablingCORSExpress#PreflightRequestExample#CommonGotchas#CheatSheet#SkillVeris
Advertisement
Sri Hayavadhana Info-Tech

Professional Web Designing Services

  • Responsive Websites
  • E-commerce Solutions
  • SEO Friendly Design
  • Fast & Secure
  • Support & Maintenance
Get a Free Quote

Related Glossary Terms

Share this Cheat Sheet