What does Access-Control-Allow-Origin control?

It names which origin may read the response from a cross-origin request. A specific origin like https://app.example.com is precise, while * allows any origin to read the response, which is only safe for genuinely public, non-credentialed resources.

Why is wildcard origin with credentials forbidden?

Browsers refuse to expose a response when Access-Control-Allow-Origin is * and Access-Control-Allow-Credentials is true. Sending credentials to any origin would let any site read authenticated responses, so the combination is blocked outright.

What is Access-Control-Max-Age for?

It tells the browser how many seconds it may cache the preflight (OPTIONS) result, reducing repeated preflights. A larger value improves performance but delays picking up changes to your CORS policy.

Does Allow-Origin alone expose every header?

No. By default the browser only exposes a small set of simple response headers to scripts. To let JavaScript read custom headers you must list them in Access-Control-Expose-Headers.

Is anything sent to a server?

No. The headers you paste are parsed entirely in your browser. Nothing is transmitted, so you can analyse internal or production headers safely.

CORS Header Explainer & Validator

Cross-Origin Resource Sharing (CORS) is the browser mechanism that decides whether JavaScript on one origin may read a response from another. It is controlled entirely by a set of Access-Control-* response headers, and small mistakes can either break legitimate requests or open serious security holes. This tool parses pasted CORS headers and explains, in plain English, exactly what they permit — and flags dangerous combinations.

How it works

The tool reads each recognised CORS response header and interprets it against the CORS spec:

Access-Control-Allow-Origin — the single origin (or *) allowed to read the response.
Access-Control-Allow-Methods — the HTTP methods permitted on the actual request (returned in preflight).
Access-Control-Allow-Headers — which request headers the client may send.
Access-Control-Allow-Credentials — whether cookies and auth headers are allowed; must not be true alongside a * origin.
Access-Control-Max-Age — how long the preflight result may be cached, in seconds.
Access-Control-Expose-Headers — which response headers JavaScript is allowed to read.

It then runs validation: the forbidden wildcard-plus-credentials combination, a * origin (read access for any site), and Allow-Headers: * with credentials (also invalid) are all flagged.

Tips and example

Given these headers:

Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true

the tool explains that any origin may read the response and warns that this exact combination is rejected by browsers — credentials cannot be sent to a wildcard origin. The fix is to echo the specific requesting origin instead of * whenever credentials are involved, and to keep * only for truly public, unauthenticated endpoints.