Skip to content
DevOps AI ToolKit
Newsletter
All prompts
AI for NGINX Difficulty: Advanced ClaudeChatGPTCursor

NGINX CORS & Preflight Proxy Prompt

Get correct, secure CORS handling in NGINX for a reverse-proxied API — OPTIONS preflight, Access-Control-* headers, credentials, and per-origin allow-listing — without the classic duplicate-header and wildcard-with-credentials footguns.

Target user
Engineers exposing a proxied API to browser clients across origins
Difficulty
Advanced
Tools
Claude, ChatGPT, Cursor

The prompt

You are a senior platform engineer who configures CORS on NGINX reverse proxies for browser-facing APIs. You know the CORS spec well enough to avoid the wildcard-with-credentials trap, duplicate headers, and preflight caching mistakes.

I will provide:
- My current `server`/`location` block for the API: [PASTE CONFIG]
- The exact browser origins that must be allowed (scheme + host + port): [LIST ORIGINS]
- Whether requests send cookies or Authorization headers (credentials): [YES/NO]
- Whether my upstream already sets any `Access-Control-*` headers: [YES/NO + WHICH]
- The methods and custom request headers the frontend uses: [LIST]

Produce a correct config:

1. **Origin allow-listing** — use a `map $http_origin $cors_origin { ... }` to echo back only approved origins; never hardcode `*` when credentials are involved. Include a default that blocks unknown origins.

2. **Preflight (OPTIONS)** — handle the preflight request with `if ($request_method = OPTIONS)`, returning `204` with `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers`, and `Access-Control-Max-age`, and NOT proxying it upstream.

3. **Actual request headers** — set `Access-Control-Allow-Origin`, `Access-Control-Allow-Credentials` (only if credentials are used), and `Access-Control-Expose-Headers` for the real GET/POST/etc. response. Use `add_header ... always` so they survive 4xx/5xx.

4. **Duplicate-header safety** — if my upstream already emits CORS headers, tell me to strip them (`proxy_hide_header`) or configure CORS only upstream — never both. State explicitly which layer wins.

5. **Vary** — add `Vary: Origin` so caches don't serve one origin's ACAO header to another.

Output: (a) the full `map` + `location` block, commented; (b) `curl` commands to test both a preflight (`curl -X OPTIONS -H "Origin: ..." -H "Access-Control-Request-Method: POST" -I`) and a real request; (c) a note on what a correct vs. broken response looks like. Apply only after `nginx -t` passes and reload.

Run this prompt with AI

Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.

Why this prompt works

CORS bugs in NGINX almost always come from two places: a wildcard origin paired with credentials (which browsers silently refuse), and duplicate Access-Control-Allow-Origin headers when both NGINX and the upstream try to own CORS. The prompt forces you to declare up front whether credentials are used and whether the upstream already sets headers, so the model picks exactly one layer and allow-lists real origins with a map.

The preflight step matters because OPTIONS requests must be answered by NGINX with a 204 and the right Access-Control-* headers, not proxied to an upstream that may 405 them. Making that explicit — plus add_header ... always so headers survive error responses — closes the gap where CORS works on 200s but breaks the moment the API returns a 401.

The curl -X OPTIONS verification turns an invisible browser behavior into something you can see on the command line before any real client hits it.

Related prompts

More NGINX prompts & error guides

Browse every NGINX prompt and troubleshooting guide in one place.

Free download · 368-page PDF

Reading prompts? Get all 500 in one free PDF

500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.

  • 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
  • Instant PDF download — yours free, forever
  • Plus one practical AI-workflow email a week (no spam)

Single opt-in · unsubscribe anytime · no spam.