Access-Control-Allow-Origin field

Access-Control-Allow-Origin identifies which requesting origin may read a CORS response.

  • cors
  • origins
  • fields
  • browsers

Meaning

Access-Control-Allow-Origin is a response field used by the browser CORS protocol. It tells the browser that the response can be shared with the named request origin, or with non-credentialed callers when the value is *.

Access-Control-Allow-Origin: https://app.example.invalid
Vary: Origin

Expected result: a CORS request whose serialized Origin is exactly https://app.example.invalid can pass the origin check, subject to the rest of the CORS protocol. Vary: Origin prevents a shared cache from treating responses for different request origins as interchangeable.

Credentials change the wildcard rule

For a request whose credentials mode is include, the server must return the explicit serialized origin and Access-Control-Allow-Credentials: true. The wildcard value does not authorize a credentialed response.

The origin value has no trailing slash. It is a serialized origin such as https://app.example.invalid, not an arbitrary page URL or a comma-separated allowlist.

It is not access control for the resource

CORS controls whether browser JavaScript can read a cross-origin response. It does not authenticate the requester, authorize an operation, prevent a request from reaching the server, or protect a resource from non-browser clients.

Common mistakes

  • Do not combine multiple origins into one field value.
  • Do not reflect any supplied Origin without checking an allowlist.
  • Add Vary: Origin when the value changes by request origin.
  • Diagnose preflight permission separately from the actual response’s origin grant.

Primary sources