All tools
Developer tools

CORS Tester

Test CORS configuration for any URL — checks preflight OPTIONS response and the actual request headers, and flags common misconfigurations.

Preflight check Actual request Wildcard detection Credentials conflict Custom origin
Get started free Sign in

Free · No credit card · 50 credits/day

How CORS works

The browser enforces a two-step check before allowing cross-origin requests.

1
Preflight (OPTIONS)

For non-simple requests (POST/PUT/DELETE, custom headers, JSON bodies), the browser automatically sends an OPTIONS request first with Origin and Access-Control-Request-Method headers. The server must respond with the appropriate Allow headers.

OPTIONS /api/data HTTP/1.1
Origin: https://app.com
Access-Control-Request-Method: POST
2
Server response

The server responds to the preflight with CORS headers. If Access-Control-Allow-Origin matches the request origin, the browser proceeds. If the header is missing or mismatched, the browser blocks the request.

Access-Control-Allow-Origin: https://app.com
Access-Control-Allow-Methods: POST, GET
Access-Control-Allow-Headers: Content-Type
3
Actual request

Only if the preflight passes does the browser send the actual request. The server should also include Access-Control-Allow-Origin on the actual response, not just the preflight.

POST /api/data HTTP/1.1
Origin: https://app.com
Content-Type: application/json

CORS response headers explained

Access-Control-Allow-Origin Required

Which origin(s) can access the resource. Either a specific origin (https://app.com), a wildcard (*) for public APIs, or null. Must be present on both preflight and actual responses.

Example: https://app.com or *
Access-Control-Allow-Methods Required

Which HTTP methods are permitted for the cross-origin request. Required on preflight responses.

Example: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers Required

Which request headers the browser is allowed to send. Required on preflight when the request has custom headers like Content-Type or Authorization.

Example: Content-Type, Authorization
Access-Control-Allow-Credentials Optional

Whether the browser should include credentials (cookies, HTTP auth) in the request. Cannot be used with a wildcard origin — must reflect the exact origin.

Example: true
Access-Control-Max-Age Optional

How long (seconds) the browser can cache the preflight response. Higher values reduce preflight requests but slow down policy changes.

Example: 86400
Access-Control-Expose-Headers Optional

Which response headers are accessible to browser JavaScript. By default only CORS-safelisted headers are exposed.

Example: X-Request-Id, X-RateLimit-Remaining

Common CORS misconfigurations

Wildcard + credentials
✗ Wrong
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
✓ Correct
Access-Control-Allow-Origin: https://app.com
Access-Control-Allow-Credentials: true
Browsers reject wildcard origin combined with credentials. Reflect the exact request origin instead.
Missing header on actual response
✗ Wrong
OPTIONS → Access-Control-Allow-Origin: https://app.com
GET     → (no CORS headers)
✓ Correct
OPTIONS → Access-Control-Allow-Origin: https://app.com
GET     → Access-Control-Allow-Origin: https://app.com
CORS headers must be present on both the preflight AND the actual response. Many servers only set them on OPTIONS.
Not handling OPTIONS method
✗ Wrong
OPTIONS /api → 405 Method Not Allowed
✓ Correct
OPTIONS /api → 200 OK (with CORS headers)
Your server or framework must handle OPTIONS requests explicitly. Some frameworks block unknown methods by default.
Returning multiple Allow-Origin values
✗ Wrong
Access-Control-Allow-Origin: https://a.com, https://b.com
✓ Correct
// Read request Origin, check against allowlist
Access-Control-Allow-Origin: https://b.com  // reflected dynamically
The header only accepts one value (or *). To allow multiple origins, maintain an allowlist server-side and reflect the matching origin dynamically.

Frequently asked questions

What is CORS?

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls which origins can make requests to your API. When JavaScript on domain-a.com tries to fetch from api.domain-b.com, the browser checks the server's CORS headers before allowing the response to be read.

What is a preflight request?

A preflight is an automatic OPTIONS request the browser sends before non-simple cross-origin requests (POST with JSON, PUT, DELETE, custom headers). The server must respond with Access-Control-Allow-Origin, Allow-Methods and Allow-Headers. If the preflight fails, the browser never sends the actual request.

Can I use Access-Control-Allow-Origin: * with cookies?

No. Wildcard origin (*) combined with Access-Control-Allow-Credentials: true is invalid — browsers reject it. To allow credentials, you must reflect the exact request Origin in Access-Control-Allow-Origin and set Access-Control-Allow-Credentials: true.

Why does CORS only affect browsers?

CORS is enforced by browsers, not servers. curl, Postman and server-to-server requests are not subject to CORS. If your API works in Postman but not in the browser, CORS headers are likely missing or misconfigured on the server.

Related tools

More tools for API and security header testing.

Security Headers Checker

Audit HTTP security headers and get an A–F grade.

CSP Header Generator

Build a Content-Security-Policy header with a visual builder.

SSL Certificate Checker

Check certificate expiry, issuer and SANs for any domain.

Test your CORS config now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →