CORS Tester

Test Cross-Origin Resource Sharing (CORS) headers for any URL.

What This Tool Checks

Comprehensive CORS header analysis for cross-origin request debugging.

Preflight Inspection

Sends an OPTIONS preflight request with standard CORS headers and reports the server's response status and headers.

Origin Testing

Test with any custom origin to see exactly how the server responds to cross-origin requests from your domain.

Security Analysis

Detects insecure configurations like wildcard origins with credentials, which browsers reject.

Full Header Report

Shows all six CORS headers including allowed methods, max-age, exposed headers, and credentials support.

How It Works

Three simple steps to test CORS for any API or website.

Enter a URL

Paste the API endpoint or website URL you want to test. Optionally set a custom origin.

Send Requests

The tool sends both an OPTIONS preflight and a GET request with your specified origin header.

Review Results

See whether CORS is enabled, inspect each header value, and review any security issues detected.

Frequently Asked Questions

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which websites can make requests to your server. Without proper CORS headers, browsers block cross-origin requests to protect users from malicious sites stealing data from other domains.

A preflight request is an OPTIONS request that browsers automatically send before certain cross-origin requests. It asks the server if the actual request is allowed. The server responds with CORS headers indicating which origins, methods, and headers are permitted.

When Access-Control-Allow-Origin is set to * and Access-Control-Allow-Credentials is true, browsers ignore the response entirely. This is because allowing any origin to send credentialed requests would let any website access authenticated data. You must specify an explicit origin instead.

CORS headers are set on the server side. You need to configure your web server or application to include Access-Control-Allow-Origin with the appropriate origin value. Most web frameworks have CORS middleware that makes this straightforward to set up.