CORS Tester
Test CORS configuration for any URL — checks preflight OPTIONS response and the actual request headers, and flags common misconfigurations.
Free · No credit card · 50 credits/day
How CORS works
The browser enforces a two-step check before allowing cross-origin requests.
For non-simple requests (POST/PUT/DELETE, custom headers, JSON bodies), the browser automatically sends an OPTIONS request first with Origin and Access-Control-Request-Method headers. The server must respond with the appropriate Allow headers.
OPTIONS /api/data HTTP/1.1 Origin: https://app.com Access-Control-Request-Method: POST
The server responds to the preflight with CORS headers. If Access-Control-Allow-Origin matches the request origin, the browser proceeds. If the header is missing or mismatched, the browser blocks the request.
Access-Control-Allow-Origin: https://app.com Access-Control-Allow-Methods: POST, GET Access-Control-Allow-Headers: Content-Type
Only if the preflight passes does the browser send the actual request. The server should also include Access-Control-Allow-Origin on the actual response, not just the preflight.
POST /api/data HTTP/1.1 Origin: https://app.com Content-Type: application/json
CORS response headers explained
Access-Control-Allow-Origin
Required
Which origin(s) can access the resource. Either a specific origin (https://app.com), a wildcard (*) for public APIs, or null. Must be present on both preflight and actual responses.
Example: https://app.com or *
Access-Control-Allow-Methods
Required
Which HTTP methods are permitted for the cross-origin request. Required on preflight responses.
Example: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers
Required
Which request headers the browser is allowed to send. Required on preflight when the request has custom headers like Content-Type or Authorization.
Example: Content-Type, Authorization
Access-Control-Allow-Credentials
Optional
Whether the browser should include credentials (cookies, HTTP auth) in the request. Cannot be used with a wildcard origin — must reflect the exact origin.
Example: true
Access-Control-Max-Age
Optional
How long (seconds) the browser can cache the preflight response. Higher values reduce preflight requests but slow down policy changes.
Example: 86400
Access-Control-Expose-Headers
Optional
Which response headers are accessible to browser JavaScript. By default only CORS-safelisted headers are exposed.
Example: X-Request-Id, X-RateLimit-Remaining
Common CORS misconfigurations
Frequently asked questions
Related tools
More tools for API and security header testing.
Test your CORS config now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →