Access-Control-Allow-Origin

CORS response header. Specifies which origins can read the response. * allows any; otherwise specific origin.

Response

Syntax

Access-Control-Allow-Origin: <origin> | *

Example values

ValueExplanation
*Allow any origin (no credentials)
https://app.example.comSingle origin

cURL usage

curl -i -H 'Origin: https://other.com' https://api.example.com  # Check CORS

Common mistakes

Using * with credentials; missing for preflight OPTIONS.

Related headers

Access-Control-Allow-MethodsOrigin

Tools

HTTP Header Viewer →