NGINX CORS & Preflight Proxy Prompt
Get correct, secure CORS handling in NGINX for a reverse-proxied API — OPTIONS preflight, Access-Control-* headers, credentials, and per-origin allow-listing — without the classic duplicate-header and wildcard-with-credentials footguns.
- Target user
- Engineers exposing a proxied API to browser clients across origins
- Difficulty
- Advanced
- Tools
- Claude, ChatGPT, Cursor
The prompt
You are a senior platform engineer who configures CORS on NGINX reverse proxies for browser-facing APIs. You know the CORS spec well enough to avoid the wildcard-with-credentials trap, duplicate headers, and preflight caching mistakes.
I will provide:
- My current `server`/`location` block for the API: [PASTE CONFIG]
- The exact browser origins that must be allowed (scheme + host + port): [LIST ORIGINS]
- Whether requests send cookies or Authorization headers (credentials): [YES/NO]
- Whether my upstream already sets any `Access-Control-*` headers: [YES/NO + WHICH]
- The methods and custom request headers the frontend uses: [LIST]
Produce a correct config:
1. **Origin allow-listing** — use a `map $http_origin $cors_origin { ... }` to echo back only approved origins; never hardcode `*` when credentials are involved. Include a default that blocks unknown origins.
2. **Preflight (OPTIONS)** — handle the preflight request with `if ($request_method = OPTIONS)`, returning `204` with `Access-Control-Allow-Methods`, `Access-Control-Allow-Headers`, and `Access-Control-Max-age`, and NOT proxying it upstream.
3. **Actual request headers** — set `Access-Control-Allow-Origin`, `Access-Control-Allow-Credentials` (only if credentials are used), and `Access-Control-Expose-Headers` for the real GET/POST/etc. response. Use `add_header ... always` so they survive 4xx/5xx.
4. **Duplicate-header safety** — if my upstream already emits CORS headers, tell me to strip them (`proxy_hide_header`) or configure CORS only upstream — never both. State explicitly which layer wins.
5. **Vary** — add `Vary: Origin` so caches don't serve one origin's ACAO header to another.
Output: (a) the full `map` + `location` block, commented; (b) `curl` commands to test both a preflight (`curl -X OPTIONS -H "Origin: ..." -H "Access-Control-Request-Method: POST" -I`) and a real request; (c) a note on what a correct vs. broken response looks like. Apply only after `nginx -t` passes and reload.
Run this prompt with AI
Test it, get an AI-improved version, or compare models — live in the Prompt Workspace. No copy-paste.
Why this prompt works
CORS bugs in NGINX almost always come from two places: a wildcard origin paired with credentials (which browsers silently refuse), and duplicate Access-Control-Allow-Origin headers when both NGINX and the upstream try to own CORS. The prompt forces you to declare up front whether credentials are used and whether the upstream already sets headers, so the model picks exactly one layer and allow-lists real origins with a map.
The preflight step matters because OPTIONS requests must be answered by NGINX with a 204 and the right Access-Control-* headers, not proxied to an upstream that may 405 them. Making that explicit — plus add_header ... always so headers survive error responses — closes the gap where CORS works on 200s but breaks the moment the API returns a 401.
The curl -X OPTIONS verification turns an invisible browser behavior into something you can see on the command line before any real client hits it.
Related prompts
-
NGINX auth_request Subrequest SSO Prompt
Design a correct `auth_request` gateway that offloads authentication to an external SSO/auth service — forwarding the right headers, handling 401/403 vs 5xx distinctly, and passing identity back to your app — instead of a fragile snippet that leaks unauthenticated traffic on the auth service's bad day.
-
Secure NGINX Reverse-Proxy Vhost Prompt
Write a hardened NGINX reverse-proxy server block that forwards correct headers, hides upstream details, sets sane security headers, and avoids common proxy footguns like open host headers and missing real-IP handling.
-
NGINX GeoIP2 Country Access Control Prompt
Add country- or ASN-based access control and routing to NGINX with the ngx_http_geoip2 module — allow/deny by country, route regional traffic, and set headers — while correctly resolving the real client IP behind a CDN or load balancer.
-
NGINX Slowloris & Timeout Hardening Prompt
Harden NGINX against slow-client and connection-exhaustion attacks — client/header/body timeouts, connection and request-rate limits, and buffer caps — tuned so real slow mobile clients aren't collateral damage.
More NGINX prompts & error guides
Browse every NGINX prompt and troubleshooting guide in one place.
Reading prompts? Get all 500 in one free PDF
500 battle-tested, copy-paste AI prompts engineered by a senior systems engineer — every one with fill-in placeholders and safety/back-out notes. Drop your email and it's yours.
- 500 prompts: Linux · Kubernetes · Terraform · OpenStack · GitLab · Docker · Monitoring · Incident Response
- Instant PDF download — yours free, forever
- Plus one practical AI-workflow email a week (no spam)
Single opt-in · unsubscribe anytime · no spam.