Why does CORS break when I allow credentials?

Because the CORS spec forbids combining Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. When you send cookies or auth headers (credentials), the browser requires the server to echo back the specific requesting origin, not a wildcard, and to set Allow-Credentials: true. The generator detects this combination and switches to reflecting the exact origin so cookies actually work.

What is a CORS preflight?

For anything beyond a simple request, the browser first sends an OPTIONS request asking the server which origins, methods, and headers are allowed. If the server does not answer that preflight correctly - with the right Access-Control-Allow-* headers and a 204 - the real request never happens and you get a CORS error. The generated nginx and Caddy configs include the preflight handling that people most often forget.

Should I just allow all origins?

Only for a truly public, credential-free API. A wildcard origin means any website can call your API from a user's browser, which is fine for open data but wrong for anything that uses cookies, tokens, or returns user-specific data. List the specific origins that should be allowed; it is barely more work and closes a real hole.

Free tool · Runs in your browser

Fix CORS, correctly.

CORS errors are maddening because the fix is fiddly and easy to get subtly wrong — especially the wildcard-plus-credentials trap that silently breaks cookies. Pick your origins and target and get a config that actually works, with the preflight handling people forget.

Generate for

Allowed origins (comma-separated, or * for any)

Allowed headers

Max-age (preflight cache, seconds)

Allow credentials (cookies / auth headers)

The error that wastes an afternoon

Almost every developer has lost an afternoon to a CORS error — not because it's hard, but because the rules are precise and the failure messages are vague. The browser blocks the response, the network tab is cryptic, and the fix involves a preflight you didn't know you needed and a wildcard rule that quietly disables your cookies. Getting the config right once, for your actual stack, makes the whole class of problem go away.

CORS is one rule in your edge config, and like the rest of it — headers, TLS, rate limits — the work isn't setting it once, it's keeping it correct and consistent as the app and the hosts change. That standing correctness across the infrastructure you own is what a control plane is for.

Related free tools

Production-ready checkerScore your deploy Deploy error decoderDecode any deploy error DATABASE_URL builderBuild or decode a conn string Downtime cost calculatorPrice your downtime

All free tools →

Related guide

Fix 'Blocked by CORS Policy' Errors

One rule. Then all of them, kept honest.

Infraveil manages your edge configuration and watches for drift across every host you own — CORS, headers, TLS, limits — so the rules you set stay set, with a record proving it.

See how it works

Get the edge-config playbook

CORS, headers, proxies, and TLS for a backend you run yourself. No spam.