Back to HTTP Headers
Response

HTTP Access-Control-Allow-Origin Header

Part of the CORS (Cross-Origin Resource Sharing) system. Indicates whether the response can be shared with requesting code from a different origin.

Purpose

Controls which websites can access the API from browser-based applications, preventing unauthorized cross-origin requests.

Access-Control-Allow-Origin: * Access-Control-Allow-Origin: https://example.com Access-Control-Allow-Origin: null

CORS is a browser security mechanism. Server-to-server requests are not restricted by CORS.

Code Examples

See how to use the Access-Control-Allow-Origin header in different tools and languages.

curl -I -H "Origin: https://myapp.com" https://api.example.com/data
# Response:
# Access-Control-Allow-Origin: https://myapp.com
# Access-Control-Allow-Methods: GET, POST
# Access-Control-Allow-Headers: Content-Type, Authorization

Related Headers

Origin

Indicates where the request originates from. Used in CORS to determine if the server allows cross-origin requests.

Vary

Determines how the response should be cached based on request headers. Ensures caches serve the correct version based on varying request criteria.

Test Your APIs

API Response Time Checker

Test your APIs and inspect response headers in real-time

HTTP Headers Reference

Complete reference of all HTTP request and response headers

cors headerhttp corshttp headers guide