API Pricing RU Sign In

Site Analysis

HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS

DNS DNS Propagation WHOIS SSL CMS Detector

Network

Ping Traceroute IP ASN Lookup IP/CIDR Calculator

Security

Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content SEO Audit Schema Checker Site Comparison

SEO & AI

Robots.txt AI Readiness llms.txt Keywords

Utilities

Formatter Cron Tester JWT Decoder TTL Calculator Batch Heartbeat Status Pages

Information

API Documentation Articles Pricing Help Contact

RU Sign In Sign Up

Home / HTTP Headers / Access-Control-Allow-Origin

← All HTTP Headers

CORS

Access-Control-Allow-Origin

Specifies which origins are permitted to read the response, the fundamental CORS header.

Syntax

Access-Control-Allow-Origin: * | &lt;origin&gt;

Example

Access-Control-Allow-Origin: https://example.com

Description

Access-Control-Allow-Origin is the most important CORS header. Tells the browser which origins can access the response.

Value: specific origin (e.g., https://example.com) or * (any origin). * cannot be used with credentials.

For security, avoid * on sensitive endpoints. Validate the Origin header against an allowlist. Always include Vary: Origin when dynamic.

Check if your website sends this header correctly

Check your headers →

HTTP Methods Explained: GET, POST, PUT, DELETE and Beyond

A comprehensive guide to HTTP methods — GET, POST, PUT, PATCH, DELETE, HEAD, OPTIONS. Learn semantics, use cases, and best practices for REST APIs.

CORS Explained: Cross-Origin Resource Sharing Guide

Understand CORS — how cross-origin requests work, preflight checks, headers, common errors, and how to configure CORS correctly for your web application.

HTTP Caching Guide: Cache-Control, ETag, Expires

Complete guide to HTTP caching: Cache-Control, ETag, Expires, Last-Modified headers. Learn how to configure caching to speed up your website.

Related Headers

Access-Control-Allow-Credentials

Indicates whether the response to a credentialed cross-origin request can be exposed to JavaScript.

Access-Control-Allow-Headers

Specifies which HTTP headers can be used in the actual request following a CORS preflight.

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed in a CORS preflight response.

Access-Control-Max-Age

Specifies how long the results of a CORS preflight request can be cached.

Start monitoring for free

Create Account API Documentation

⚡

enterno.io

Website monitoring and analysis tools

Site Analysis HTTP Headers Advanced Health Score PageSpeed Security Redirect Chain Broken Links HTTP/2 & HTTP/3

Domain & DNS & Network DNS Lookup DNS Propagation WHOIS SSL Check CMS Detector Ping & Ports Traceroute IP Geolocation ASN Lookup IP/CIDR Calculator

Security Spam Lists RKN Check IP Abuse Check DKIM Generator Email Deliverability Mixed Content

SEO & AI & Utilities Robots.txt AI Readiness llms.txt Keywords SEO Audit Schema Checker Site Comparison Formatter Cron Tester JWT Decoder TTL Calculator Batch Check

Service API Documentation Pricing Help Compare Articles HTTP Headers Reference HTTP Status Codes Contact Privacy Policy Terms of Service Heartbeat Status Pages

PHP 8.4 · Hosting: Russia