What is Access-Control-Max-Age and why use it?
A header that tells the browser how long to cache the preflight result. Setting it to 3600 (1 hour) means the browser does not send a new OPTIONS request for that URL for 1 hour, reducing overhead.
Verify This Answer
Cross-check this information using these trusted sources:
More FAQs in CORS Security Best Practices
For public APIs without credentials, yes. For APIs with credentials (cookies, auth), no. Use the specific origin instead. The wildcard allows any website to make requests, which can be a security risk for authenticated APIs.
const allowedOrigins = ['https://myapp.com', 'https://admin.myapp.com']; if (allowedOrigins.includes(req.headers.origin)) res.header('Access-Control-Allow-Origin', req.headers.origin);
No. Only allow the methods you actually use. If your API only uses GET and POST, do not include PUT, DELETE, PATCH. This reduces the attack surface.
Still have questions?
Browse all our FAQs or reach out to our support team
