Access-Control-Allow-Origin header

Baseline Widely available

This feature is well established and works across many devices and browser versions. It’s been available across browsers since ⁨July 2015⁩.

The HTTPAccess-Control-Allow-Originresponse header indicates whether the response can be shared with requesting code from the givenorigin.

Header type	Response header

Syntax

http

Access-Control-Allow-Origin: *Access-Control-Allow-Origin: <origin>Access-Control-Allow-Origin: null

Directives

* (wildcard): The requesting code from any origin is allowed to access the resource.For requestswithout credentials, the literal value* can be specified as a wildcard.Attempting to use the wildcard with credentialsresults in an error.
<origin>: Specifies a single origin. If the server supports clients from multiple origins, it must return the origin for the specific client making the request.
null: Specifies the origin "null".
Note:The valuenull should not be used. It may seem safe to returnAccess-Control-Allow-Origin: "null"; however, the origin of resources that use a non-hierarchical scheme (such asdata: orfile:) and sandboxed documents is serialized asnull.Many browsers will grant such documents access to a response with anAccess-Control-Allow-Origin: null header, and any origin can create a hostile document with anull origin.Therefore, thenull value for theAccess-Control-Allow-Origin header should be avoided.

Examples

A response that tells the browser to allow code from any origin to access a resource will include the following:

http

Access-Control-Allow-Origin: *

A response that tells the browser to allow requesting code from the originhttps://developer.mozilla.org to access a resource will include the following:

http

Access-Control-Allow-Origin: https://developer.mozilla.org

Limiting the possibleAccess-Control-Allow-Origin values to a set of allowed origins requires code on the server side to check the value of theOrigin request header, compare that to a list of allowed origins, and then if theOrigin value is in the list, set theAccess-Control-Allow-Origin value to the same value as theOrigin value.

CORS and caching

Suppose the server sends a response with anAccess-Control-Allow-Origin value with an explicit origin (rather than the* wildcard). In that case, the response should also include aVary response header with the valueOrigin — to indicate to browsers that server responses can differ based on the value of theOrigin request header.

http

Access-Control-Allow-Origin: https://developer.mozilla.orgVary: Origin

Specifications

Specification
Fetch # http-access-control-allow-origin

Browser compatibility

Help improve MDN

Learn how to contribute

This page was last modified on⁨Nov 21, 2025⁩ byMDN contributors.

View this page on GitHub •Report a problem with this content

Movatterモバイル変換

Access-Control-Allow-Origin header

Syntax

Directives

Examples

CORS and caching

Specifications

Browser compatibility

See also

Help improve MDN