Spoold is a free, privacy-first developer toolbox. Paste into the Magic Box and it detects JSON, HTML, JWT, curl, OpenAPI, CSV, timestamps, and more—then suggests the best tool. You can also browse the full catalog by category. No sign-up is required.

Is Spoold free to use?

Yes. Core tools are free. Heavy work runs in your browser so your payloads are not processed on Spoold servers for formatting, decoding, and similar utilities.

Is my data safe with Spoold?

Tool processing for supported client-side utilities happens in your browser. Encrypted share links are designed so only people with the link can read the payload. Review the Privacy Policy for details on cookies, optional ads, and third-party services.

What tools are available?

Spoold ships 65+ tools including JSON formatter and diff, JSON Schema validation, YAML and TOML converters, HTML and Markdown preview, JWT decode and sign, OpenAPI/Swagger viewer with curl, GraphQL formatter, curl to code and curl compare, certificate viewer, CSV preview, regex tester, Mermaid, code editor, LLM token utilities, QR codes, and many encoding and text utilities.

Does Spoold show ads?

The site may display advertisements or sponsored placements to help keep the service free. House promotions highlight other Spoold tools. Ads do not change the fact that supported tools process your pasted content locally in the browser. You can read how to manage ad cookies and opt-outs in the Privacy Policy.

Can I use keyboard shortcuts?

Yes. Press Cmd or Ctrl+K to open tool search, use / from the homepage, and use per-tool shortcuts (shown in the UI) such as jj for JSON and hh for HTML where configured.

Cloudflare R2 CORS Generator: Create Bucket CORS JSON for Browser Apps | Spoold Blog

Generate Cloudflare R2 CORS config without guessing field names

Spoold's S3/R2 CORS Generator & Debugger creates Cloudflare R2 bucket CORS JSON for browser apps. Pick a preset, enter your app origin, choose methods such as GET or PUT, and copy dashboard-ready JSON plus a Wrangler file for applying the policy from the command line.

What is a Cloudflare R2 CORS generator?

A Cloudflare R2 CORS generator helps you create the bucket policy that tells browsers which frontend origins can read or upload objects from R2. CORS is only enforced by the browser. Your presigned URL or public object may work in curl, but the same request can fail in a web app if R2 does not return the right Access-Control-* headers.

R2 CORS fields explained

Field	Purpose	Typical value
AllowedOrigins	Frontend origins allowed to access R2 from a browser.	https://app.example.com
AllowedMethods	Methods the browser can use after preflight succeeds.	GET, HEAD, PUT
AllowedHeaders	Request headers your frontend may send.	Content-Type, x-amz-*
ExposeHeaders	Response headers JavaScript can read.	ETag, Content-Length
MaxAgeSeconds	How long the browser can cache preflight success.	3600

Dashboard JSON vs Wrangler JSON

R2 developers often run into a small mismatch: the dashboard-style rule list and the Wrangler file shape are not always pasted in the same wrapper. The Spoold tool shows both forms. Use the editable CORS JSON for dashboard-style policy review, and use the generated Wrangler file when running wrangler r2 bucket cors set.

Dashboard-style rule list

[
  {
    "AllowedOrigins": ["https://app.example.com"],
    "AllowedMethods": ["GET", "PUT", "HEAD"],
    "AllowedHeaders": ["Content-Type"],
    "ExposeHeaders": ["ETag"],
    "MaxAgeSeconds": 3600
  }
]

Wrangler file shape

{
  "rules": [
    {
      "allowed": {
        "origins": ["https://app.example.com"],
        "methods": ["GET", "PUT", "HEAD"],
        "headers": ["Content-Type"]
      },
      "exposeHeaders": ["ETag"],
      "maxAgeSeconds": 3600
    }
  ]
}

Best presets for common R2 use cases

Public assets: use GET and HEAD. Add Content-Length to exposed headers if the frontend reads file size.
Presigned upload: use PUT, POST, and HEAD. Include Content-Type and any x-amz-* headers your upload sends.
Signed download: use GET and HEAD. Expose ETag only if the frontend reads it.

How to generate R2 CORS config

Open the S3/R2 CORS tool and choose Cloudflare R2.
Pick a preset: public read, presigned upload, signed download, or fonts/assets.
Enter your production origin and any localhost origin used in development.
Add request headers from your frontend upload code.
Copy the editable JSON or download the Wrangler file.
Use the Debug tab if the browser still reports a preflight or missing-origin error.

Why use the debugger after generating config?

The generator gives you a good starting policy. The debugger checks the exact failing request. Paste your current R2 CORS JSON, the request origin, method, request headers, and browser console error. It will tell you whether the origin, method, headers, or exposed response headers are missing.

Cloudflare R2 CORS Generator: Create Bucket CORS JSON for Browser Apps

What is a Cloudflare R2 CORS generator?

R2 CORS fields explained

Dashboard JSON vs Wrangler JSON

Best presets for common R2 use cases

How to generate R2 CORS config

Why use the debugger after generating config?

Related Tools

JSON Formatter

URL Parser

Related Articles

CSV Operations Query Tool Online: Filter, Dedupe, Compare CSV and Excel

R2 Presigned URL CORS: Fix Browser Upload and Download Errors

S3 CORS Policy Generator: Create AWS Bucket CORS JSON for Browser Uploads

Try It Now