CORS Tester
Test and diagnose Cross-Origin Resource Sharing (CORS) headers for any URL
Sample URLs to Test
Understanding CORS
What is CORS?
Cross-Origin Resource Sharing (CORS) is a security mechanism that allows a web page from one origin to request resources from a different origin. Without CORS, browsers block such cross-origin requests by default to prevent security vulnerabilities.
How CORS Works
When a browser makes a cross-origin request, it sends an Origin header. The server must respond with the appropriate Access-Control-Allow-Origin header. For non-simple requests, the browser first sends an OPTIONS preflight request to check if the actual request is permitted.
Key CORS Headers
Access-Control-Allow-Origin specifies allowed origins. Access-Control-Allow-Methods lists allowed HTTP methods. Access-Control-Allow-Headers defines allowed request headers. Access-Control-Allow-Credentials indicates if cookies are permitted.
Debugging CORS Errors
CORS errors appear in the browser console when a cross-origin request is blocked. Check that the server includes the correct CORS headers. For APIs, ensure the server allows your origin, the required methods, and any custom headers you send.
CORS Tester
Test and diagnose Cross-Origin Resource Sharing (CORS) headers for any URL
Features
- Test CORS headers for any URL directly from your browser with instant real-time results showing all Access-Control response headers
- Detect whether cross-origin requests are allowed or blocked with clear visual indicators for quick CORS policy assessment
- View all six CORS response headers including Access-Control-Allow-Origin, Methods, Headers, Credentials, Max-Age, and Expose-Headers
- Support for all HTTP methods including GET, POST, PUT, DELETE, PATCH, OPTIONS, and HEAD for comprehensive CORS testing
- Sample URLs included for quick testing with known CORS-enabled and CORS-blocked endpoints to learn how CORS works in practice
- Educational section explaining CORS concepts, preflight requests, and debugging strategies for developers of all skill levels
- 100% client-side processing with no data sent to any server ensuring complete privacy and security for your API endpoint testing
How to use
- Enter the URL you want to test in the input field or select one of the sample URLs provided for quick testing.
- Choose the HTTP method (GET, POST, etc.) and optionally add custom headers in the advanced options section.
- Click 'Test CORS' to send a cross-origin request and view the detailed results including all CORS headers and their values.
Tips & Best Practices
- Double-check URLs and hostnames before running network lookups.
- Results may vary based on DNS propagation and network conditions.
- Use this tool for debugging and development, not for production monitoring.
- Some checks may be blocked by firewalls or CORS policies.
- All lookups are performed client-side when possible for privacy.
FAQ
What is CORS and why does it matter for web developers?
CORS (Cross-Origin Resource Sharing) is a browser security feature that controls which web pages can make requests to a different domain than the one that served the page. It matters because modern web applications frequently need to call APIs on different domains, and without proper CORS configuration, these requests will be blocked by the browser. Understanding CORS is essential for building applications that interact with third-party APIs or microservices.
Why do I get a CORS error even though the API works in Postman or curl?
CORS is a browser-enforced security policy, not a server-side restriction. Tools like Postman and curl bypass CORS entirely because they are not browsers and do not enforce the same-origin policy. The browser specifically checks for CORS headers in the server's response and blocks the request if they are missing or incorrect. This is why an API can work perfectly in Postman but fail in a browser application.
What is a preflight request and when does the browser send one?
A preflight request is an OPTIONS request that the browser automatically sends before the actual request to check if the server allows the cross-origin request. The browser sends a preflight for requests that use methods other than GET, HEAD, or POST, or that include custom headers, or that use Content-Type values other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. The server must respond with appropriate CORS headers to allow the actual request to proceed.
What does Access-Control-Allow-Origin: * mean and is it safe?
The wildcard value * means the server allows requests from any origin. While convenient for public APIs, it can be a security risk for private APIs that handle sensitive data. When using *, the server cannot also set Access-Control-Allow-Credentials to true. For APIs that require authentication, you should specify exact allowed origins instead of using the wildcard.
How can I fix CORS errors on my server?
To fix CORS errors, you need to configure your server to include the appropriate CORS headers in its responses. At minimum, add Access-Control-Allow-Origin with either a wildcard (*) or the specific requesting origin. For non-simple requests, also add Access-Control-Allow-Methods and Access-Control-Allow-Headers. Most web frameworks have CORS middleware packages that simplify this configuration, such as cors for Express.js, django-cors-headers for Django, or rack-cors for Ruby on Rails.
Does this tool actually make real cross-origin requests?
Yes, this tool makes real fetch requests from your browser to the URL you specify, which means the browser's CORS policy is fully enforced. If the target server does not include CORS headers, the browser will block the response and the tool will show a CORS blocked status. This gives you an accurate picture of how your browser application would behave when making the same request.