Spoold is a free, privacy-first developer toolbox. Paste into the Magic Box and it detects JSON, HTML, JWT, curl, OpenAPI, CSV, timestamps, and more—then suggests the best tool. You can also browse the full catalog by category. No sign-up is required.

Is Spoold free to use?

Yes. Core tools are free. Heavy work runs in your browser so your payloads are not processed on Spoold servers for formatting, decoding, and similar utilities.

Is my data safe with Spoold?

Tool processing for supported client-side utilities happens in your browser. Encrypted share links are designed so only people with the link can read the payload. Review the Privacy Policy for details on cookies, optional ads, and third-party services.

What tools are available?

Spoold ships 65+ tools including JSON formatter and diff, JSON Schema validation, YAML and TOML converters, HTML and Markdown preview, JWT decode and sign, OpenAPI/Swagger viewer with curl, GraphQL formatter, curl to code and curl compare, certificate viewer, CSV preview, regex tester, Mermaid, code editor, LLM token utilities, QR codes, and many encoding and text utilities.

Does Spoold show ads?

The site may display advertisements or sponsored placements to help keep the service free. House promotions highlight other Spoold tools. Ads do not change the fact that supported tools process your pasted content locally in the browser. You can read how to manage ad cookies and opt-outs in the Privacy Policy.

Can I use keyboard shortcuts?

Yes. Press Cmd or Ctrl+K to open tool search, use / from the homepage, and use per-tool shortcuts (shown in the UI) such as jj for JSON and hh for HTML where configured.

S3 CORS Policy Generator: Create AWS Bucket CORS JSON for Browser Uploads | Spoold Blog

Build an S3 CORS policy for frontend uploads and reads

Use Spoold's S3/R2 CORS Generator to create an AWS S3 bucket CORS policy for browser uploads, public reads, signed downloads, and presigned URL flows. The tool produces editable policy JSON, an AWS CLI file with CORSRules, and a preflight curl for testing.

What is an S3 CORS policy?

An S3 CORS policy is a bucket-level rule set that tells Amazon S3 which browser origins can access objects, which HTTP methods are allowed, which request headers can be sent, and which response headers JavaScript can read. It is separate from IAM, bucket policies, ACLs, and presigned URL authorization.

S3 console JSON vs AWS CLI JSON

The S3 console commonly shows the rules themselves. The AWS CLI put-bucket-cors command expects a wrapper object with CORSRules. This small difference is easy to miss, so the generator outputs both.

Rule list

[
  {
    "AllowedOrigins": ["https://app.example.com"],
    "AllowedMethods": ["GET", "PUT", "HEAD"],
    "AllowedHeaders": ["Content-Type"],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

AWS CLI file

{
  "CORSRules": [
    {
      "AllowedOrigins": ["https://app.example.com"],
      "AllowedMethods": ["GET", "PUT", "HEAD"],
      "AllowedHeaders": ["Content-Type"],
      "ExposeHeaders": ["ETag"],
      "MaxAgeSeconds": 3600
    }
  ]
}

Recommended S3 CORS policies by use case

Use case	Methods	Headers	Expose
Public asset read	GET, HEAD	Usually empty	Content-Length
Presigned PUT upload	PUT, HEAD	Content-Type, x-amz-*	ETag
Presigned POST upload	POST, HEAD	Content-Type, x-amz-*	ETag
Signed download	GET, HEAD	Authorization if sent	ETag

How to generate an S3 CORS policy

Open the S3 CORS policy generator and select AWS S3.
Pick a preset for public read, presigned upload, signed download, or assets.
Add exact origins such as https://app.example.com and http://localhost:3000.
Add all request headers your frontend sends.
Copy the policy or download the AWS CLI JSON file.
Apply it with aws s3api put-bucket-cors --bucket BUCKET --cors-configuration file://cors-aws-cli.json.

Common S3 CORS mistakes

Using the wrong wrapper: AWS CLI expects CORSRules, not only a bare array.
Forgetting localhost: your production origin does not cover local dev.
Allowing GET but uploading with PUT: the preflight method must be allowed.
Missing upload headers: every header in Access-Control-Request-Headers must be covered.
Not exposing ETag: uploads may succeed, but JavaScript cannot read ETag unless it is in ExposeHeaders.

Use the debugger for failed preflight requests

Paste your current S3 CORS policy into the S3/R2 CORS debugger, then enter the browser origin, method, request headers, and console error. The debugger shows whether the request fails because of origin, method, request headers, exposed response headers, or wildcard origin with credentials.

S3 CORS Policy Generator: Create AWS Bucket CORS JSON for Browser Uploads

What is an S3 CORS policy?

S3 console JSON vs AWS CLI JSON

Recommended S3 CORS policies by use case

How to generate an S3 CORS policy

Common S3 CORS mistakes

Use the debugger for failed preflight requests

Related Tools

JSON Formatter

URL Parser

Related Articles

CSV Operations Query Tool Online: Filter, Dedupe, Compare CSV and Excel

Cloudflare R2 CORS Generator: Create Bucket CORS JSON for Browser Apps

R2 Presigned URL CORS: Fix Browser Upload and Download Errors

Try It Now