SecureStartKit
SecurityFeaturesPricingDocsBlogChangelog
Sign inBuy Now
Home/Free Tools/CORS Configuration Generator

CORS Configuration Generator

Configure cross-origin resource sharing for your API and get copy-paste code for Next.js or Express. Choose a production or development preset, or customize each setting.

Preset:

Framework

Choose your backend framework to get the right code output.

Allowed Origins

Which domains can make cross-origin requests to your API.

Allowed Methods

HTTP methods your API accepts from cross-origin requests.

Allowed Headers

Request headers the browser is allowed to send.

Allow Credentials

Send cookies and auth headers cross-origin.

Preflight Cache (Max-Age)

How long browsers cache preflight responses.

Generated Next.js Code

// middleware.ts (project root)
import { NextResponse } from 'next/server'
import type { NextRequest } from 'next/server'

const allowedOrigins = [
  'https://yourdomain.com',
]

export function middleware(request: NextRequest) {
  const origin = request.headers.get('origin') ?? ''
  const isAllowed = allowedOrigins.includes(origin)

  if (request.method === 'OPTIONS') {
    return new NextResponse(null, {
      status: 204,
      headers: {
        ...(isAllowed && { 'Access-Control-Allow-Origin': origin }),
        'Access-Control-Allow-Methods': 'GET, POST, OPTIONS',
        'Access-Control-Allow-Headers': 'Content-Type, Authorization',
        'Access-Control-Allow-Credentials': 'true',
        'Access-Control-Max-Age': '86400',
      },
    })
  }

  const response = NextResponse.next()
  if (isAllowed) {
    response.headers.set('Access-Control-Allow-Origin', origin)
    response.headers.set('Access-Control-Allow-Credentials', 'true')
  }
  return response
}

export const config = {
  matcher: '/api/:path*',
}

CORS configuration runs entirely in your browser. No data is sent to any server. Always test cross-origin requests after deploying to catch misconfigurations early.

Related Guides

Next.js Security Checklist: 12 Steps [2026]

CORS, CSP, HSTS, and the rest of the security header stack. Production hardening for Next.js apps.

Server Actions + Zod: Type-Safe Validation

Why Server Actions reduce CORS surface area and how to validate every request that does cross the boundary.

More Free Tools

๐Ÿ’ณ

Stripe Fee Calculator

Calculate Stripe fees for any payment method and currency.

๐Ÿ›ก๏ธ

RLS Policy Generator

Generate Supabase Row Level Security policies with templates.

๐Ÿ’ฐ

SaaS Pricing Calculator

Find your break-even price and suggested pricing tiers.

๐Ÿ–ผ๏ธ

OG Image Preview

Preview meta tags on Google, Twitter, LinkedIn, and more.

๐Ÿ”’

Security Checklist

30 essential security checks with scoring and progress tracking.

โ˜๏ธ

Tech Stack Costs

Compare hosting, database, and service costs at scale.

๐Ÿ”

Security Headers

Generate Next.js security headers config with copy-paste code.

๐Ÿ”‘

JWT Decoder

Decode and inspect JSON Web Tokens. View claims and expiry status.

โœ๏ธ

JWT Generator

Build and sign JWTs with HS256, HS384, or HS512 in your browser.

๐ŸŒ

CORS Config Generator

Generate CORS configuration for Next.js or Express with copy-paste code.

๐Ÿงช

JSON to Zod Converter

Paste JSON and get a typed Zod schema with format detection.

๐Ÿช

Stripe Webhook Verifier

Verify Stripe-Signature headers with your webhook secret in your browser.

๐Ÿ—๏ธ

API Key Generator

Generate cryptographically secure API keys, webhook secrets, and tokens in your browser.

Building a SaaS?

Skip months of boilerplate. SecureStartKit gives you auth, payments, email, and security best practices out of the box.

Get SecureStartKit