Can I use * and credentials together?

No. The fetch spec rejects responses that pair Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. Either drop credentials, or echo the actual request Origin server-side after validating it against an allow-list.

Why the Vary: Origin recommendation?

If you echo Origin into Allow-Origin, downstream caches must vary their stored response on the request's Origin header; otherwise they may serve one site's CORS response to another site's request. Vary: Origin tells caches to key on that header.

CORS Headers Builder

Network

Builds the response headers a server needs to send to satisfy a browser's cross-origin request. Includes Allow-Origin, Allow-Methods, Allow-Headers, Expose-Headers, Allow-Credentials, Max-Age, and a Vary: Origin hint. Flags the common foot-guns: combining * with credentials (browsers will block it), accepting Origin: null (an attacker can spoof it), or asking the browser to cache the preflight for unreasonably long.

—

Presets

Allow-OriginUse * for public assets, a specific URL for trusted callers, or echo the request's Origin server-side.

Allow-Methods

Allow-HeadersHeaders the browser may send. * works only without credentials.Expose-HeadersResponse headers the browser exposes to JS beyond the safelist.

Allow-CredentialsVary: OriginMax-Age (s)

Response headers

Access-Control-Allow-Origin: https://example.com
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Allow-Credentials: true
Access-Control-Max-Age: 600
Vary: Origin

Apply these on the response to preflight OPTIONS *and* the actual request. Edge caches need Vary: Origin if you echo Origin.

How to use

Start from a preset that matches your scenario.
Set the origin (* for fully-public, or echo the request's Origin server-side for credentialed APIs).
Pick the methods and headers your endpoint actually accepts — narrower is safer.
Copy the headers into your server, edge worker, or framework middleware.

Frequently asked questions

Can I use * and credentials together?: No. The fetch spec rejects responses that pair Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. Either drop credentials, or echo the actual request Origin server-side after validating it against an allow-list.
Why the Vary: Origin recommendation?: If you echo Origin into Allow-Origin, downstream caches must vary their stored response on the request's Origin header; otherwise they may serve one site's CORS response to another site's request. Vary: Origin tells caches to key on that header.

Related tools

IP Address Inspector

Type an IPv4 or IPv6 address and see its class, scope (private / public / loopback / link-local), decimal value, binary, reverse-DNS notation, and /32 CIDR.

Network00

Port Number Reference

Searchable cheat sheet for ~60 standard TCP / UDP port numbers — from 22 (SSH) and 80 (HTTP) to 6379 (Redis) and 27017 (MongoDB).

Network00

DNS Record Reference

Searchable cheat sheet for DNS record types — A, AAAA, CNAME, MX, TXT, NS, SOA, PTR, SRV, CAA, DNSSEC, SVCB / HTTPS — with examples.

Network00

Subnet Calculator (IPv4 / CIDR)

Parse an IPv4 CIDR into network address, broadcast, netmask, wildcard, host range, and class. Shows binary breakdown and private/public status.

Network00

User Agent Parser

Parse a User-Agent string into browser, engine, OS, device, and CPU. Detects 20+ bots including GPTBot, ClaudeBot, PerplexityBot.

Network00

HTTP Status Code Reference

Searchable list of every HTTP status code (1xx-5xx) with summary, RFC, when to use, and common pitfalls.

Network00