Back to Tools
CORS Header Tester
Test CORS headers — Access-Control-Allow-Origin, methods, credentials.
This tool is being set up. Backend processing coming soon. In the meantime, review the reference guide below and use the CLI equivalent.
CORS Explained: Cross-Origin Resource Sharing
CORS is a browser-enforced security mechanism that controls which web origins can access resources on a different origin. Without proper CORS headers, browser JavaScript from example.com cannot fetch data from api.other.com — even if both domains are owned by the same organization.
Key headers: Access-Control-Allow-Origin (which origins are allowed — * for public APIs), Access-Control-Allow-Methods (GET, POST, PUT, DELETE), Access-Control-Allow-Headers (custom headers the client may send), Access-Control-Allow-Credentials (allows cookies and auth tokens). Preflight requests use the OPTIONS method to check permissions before the actual request.
Common CORS Errors & Fixes
1. No Access-Control-Allow-Origin header: The most common CORS error. Server must explicitly return this header. Cannot be added client-side.
2. Wildcard with credentials: Access-Control-Allow-Origin: * cannot be used with Access-Control-Allow-Credentials: true. Browsers reject this combination.
3. Missing preflight headers: Complex requests (PUT, DELETE, custom Content-Type) trigger a preflight OPTIONS request. The OPTIONS response must include the same CORS headers.
4. Caching preflight: Access-Control-Max-Age controls how long browsers cache preflight results (default 5 seconds). Set to 86400 for production APIs to reduce overhead.
CLI Equivalent
curl -sI -H "Origin: https://example.com" https://api.example.com | grep -i access-control