Access-Control-Allow-Origin

The HTTP Access-Control-Allow-Origin response header is part of the CORS protocol to allow cross-origin sharing, and it is sent by the server to indicate to the client that the HTTP response can be shared with requesting code from the specified origin.

Table of Contents

Usage

The Access-Control-Allow-Origin response header is used by servers to inform clients with respect to whether they can share the HTTP response via HTTP requests with another origin. Specifically:

Access-Control-Allow-Origin: *

The asterisk is a wildcard for HTTP requests that do not have credentials. It tells the client to allow HTTP requests from any origin to access the resource.

Note

Using the wildcard when credentials are included will generate a CORS error.

Access-Control-Allow-Origin: null

The null directive indicates an absence of an origin network. For example, the client’s local storage system. However, using null is not recommended because certain user agents automatically grant such documents access to a HTTP response that contains this HTTP header. As such, it can result in a breach of security whereby a bad actor can create a malicious document using the null origin.

Example

The following example informs the client that it is safe to allow requesting code from https://example.re to access the resource.

Access-Control-Allow-Origin: https://example.re

Takeaway

The Access-Control-Allow-Origin response header is sent by a server to inform clients that they can share the HTTP response with specific Origins.

See also

Last updated: August 2, 2023