Should I use a wildcard for CORS in production?
No. In production, explicitly list the origins that should be allowed, like your frontend domain. A wildcard is a security risk, especially with credentials, because it allows any site to call your API.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in How to Enable CORS on Your Backend API for React Frontends
Use a CORS middleware from your backend framework, allow specific origins instead of a wildcard, handle preflight OPTIONS requests, allow the right methods and headers, and be careful with credentials. Test from the browser, not just Postman.
For non-simple requests, the browser sends an OPTIONS preflight first. Your server must respond to OPTIONS with the right headers, or the actual request never fires. Using CORS middleware handles this automatically.
Set Access-Control-Allow-Credentials to true on the server, and do not use a wildcard origin. Specify exact origins instead. On the frontend, include credentials in your fetch or axios request.
Still have questions?
Browse all our FAQs or reach out to our support team
