CORS Guide & Debugger

CORS is a browser security policy, not a server or network restriction. Postman is not a browser and does not enforce the Same-Origin Policy, so it can make cross-origin requests without restriction. The browser automatically includes the Origin header and enforces the CORS handshake for cross-origin requests from JavaScript. This is why CORS errors only appear in browser DevTools and not in API testing tools.

The CORS specification explicitly forbids using a wildcard origin (*) when Access-Control-Allow-Credentials: true is set. This is a deliberate security decision: a wildcard would allow any website to send authenticated requests (with cookies or auth headers) to your API on behalf of any logged-in user. Instead, you must specify the exact origin, and your server must dynamically reflect the request's Origin header after validating it against an allowlist.

A preflight OPTIONS request is triggered when any of these conditions are met: (1) the method is PUT, DELETE, PATCH, or CONNECT; (2) the request includes custom headers beyond Accept, Accept-Language, Content-Language, or Content-Type; (3) the Content-Type is anything other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. Most API calls that send JSON (Content-Type: application/json) or include Authorization headers will trigger a preflight.

Open the browser DevTools Network tab and look for the failing request. If you see a red request with status "CORS error" or "(blocked:other)", click it and check the Response Headers tab — the absence of Access-Control-Allow-Origin is the most common cause. For preflight failures, look for an OPTIONS request just before the actual request and check its response. The browser Console will also show a descriptive error message naming which header is missing or has an incorrect value.

Access-Control-Max-Age specifies the number of seconds the browser can cache the result of a preflight request. During this time, repeated requests to the same endpoint with the same method and headers will not trigger a new preflight. Setting it to 86400 (24 hours) significantly reduces network overhead for SPAs that make frequent API calls. The maximum value is browser-dependent — Chrome caps it at 7200 seconds, Firefox at 86400.

In Nginx, add CORS headers inside the server or location block. Use add_header Access-Control-Allow-Origin $http_origin to reflect the request origin dynamically. Add an if ($request_method = OPTIONS) block that returns 204 immediately after setting the preflight response headers. The $http_origin variable lets you validate the origin against a list using an Nginx map block, preventing open CORS policies.

Access-Control-Allow-Headers is sent in the preflight response and tells the browser which request headers the client is allowed to include in the actual request (e.g., Authorization, Content-Type). Access-Control-Expose-Headers is sent in the actual response and tells the browser which response headers JavaScript is allowed to read via the XMLHttpRequest or Fetch API. By default, only a small set of "safe-listed" response headers (like Content-Type) are visible to JavaScript.

CORS only allows a single origin value in Access-Control-Allow-Origin per response. To support multiple origins, the server must dynamically check the incoming request's Origin header against an allowlist and reflect the exact origin back if it matches. In Express: set the cors origin option to a function that calls callback(null, allowlist.includes(origin)). In Django: CORS_ALLOWED_ORIGINS is a list and django-cors-headers handles the reflection automatically.