Home/API/CORS
API Cheat Sheet Wiki

CORS cheat sheet

Browser cross-origin request rules, preflight behavior, and safe server headers.

Quick lookup

Access-Control-Allow-OriginCheck exact spelling, casing, and the platform documentation for this field.
Access-Control-Allow-MethodsCheck exact spelling, casing, and the platform documentation for this field.
Access-Control-Allow-HeadersCheck exact spelling, casing, and the platform documentation for this field.
Access-Control-Allow-CredentialsCheck exact spelling, casing, and the platform documentation for this field.
OPTIONS preflightCheck exact spelling, casing, and the platform documentation for this field.

Common mistakes

  • Debugging the client before checking the raw request and response
  • Ignoring headers that explain cache, auth, or rate limits
  • Treating browser CORS failures as generic API downtime
  • Logging tokens or webhook secrets while troubleshooting

Online tools