Why can’t I use Access-Control-Allow-Origin: * with credentials?

The Fetch standard forbids it: when a request includes credentials, the browser requires an exact-match origin and Access-Control-Allow-Credentials: true. A wildcard would let any site read authenticated responses, so the browser blocks it.

Does the evaluator send a request to my endpoint?

No. You paste the response headers you already observed (e.g. from curl -I), and the tool simulates the browser’s CORS algorithm locally. Nothing leaves your browser.

CORS Builder.

Generate correct Access-Control-* headers for your server, with plain-English explanations and checks for the dangerous combinations — then paste a real endpoint's response headers to see whether a browser would actually allow a given request.

Allowed origins

AllowlistReflect (echo if allowed)Any (*)

Origins — one per lineAn origin is scheme + host (+ optional port), no path or trailing slash.

Methods

GETHEADPOSTPUTPATCHDELETEOPTIONS

Allowed request headers

Content-TypeAuthorizationX-Requested-WithAcceptOriginX-CSRF-Token

Options

Allow credentials (cookies / Authorization)Cannot be combined with Allow-Origin: *. The response becomes readable cross-origin.

Preflight cache — Access-Control-Max-Age (seconds)

Exposed response headersComma-separated. Response headers JS may read via getResponseHeader().

headers.txt

The CORS rules that trip people up

Wildcard ✕ credentials

Access-Control-Allow-Origin: * is invalid once a request carries cookies. Echo the exact request Origin and add Allow-Credentials: true — for trusted origins only.

Reflecting the Origin

Blindly echoing back whatever Origin arrives, with credentials, lets any site read authenticated responses. Always check against an allowlist first.

Preflights & `Vary: Origin`

Non-simple methods or custom headers cause an OPTIONS preflight. When the allowed origin is dynamic, send Vary: Origin so caches don't cross the streams.

CORS Builder.

Paste response headers and describe the request.

The CORS rules that trip people up

Wildcard ✕ credentials

Reflecting the Origin

Preflights & Vary: Origin

Preflights & `Vary: Origin`