CORS Tester

Analyze CORS configuration and simulate cross-origin preflight requests against your API.

API URL

Request Origin (your frontend)

HTTP Method

Custom Request Headers (comma-separated)

Paste Server Response Headers (for offline analysis)

CORS Analysis Results

Note: Live preflight sends an OPTIONS request. API must be reachable from your browser.

About the CORS Tester

CORS (Cross-Origin Resource Sharing) is a browser security mechanism that restricts JavaScript from making requests to a different origin (domain, protocol, or port) than the one that served the page. Misconfigured CORS is one of the most frustrating debugging experiences for frontend developers. This tool helps you understand and diagnose CORS issues.

How CORS Works

When your JavaScript at https://app.example.com tries to call https://api.other.com, the browser first sends an HTTP preflight request (OPTIONS method) to ask the server "do you allow requests from this origin with these headers?" The server responds with CORS headers that either grant or deny access.

The CORS Response Headers

Access-Control-Allow-Origin — the only required CORS header. Can be a specific origin (https://app.example.com) or wildcard (*). The wildcard does NOT work with credentialed requests (cookies/auth). Access-Control-Allow-Methods — comma-separated list of allowed HTTP methods. Access-Control-Allow-Headers — headers the client is allowed to send. Access-Control-Max-Age — how long (in seconds) the browser can cache the preflight response. Access-Control-Allow-Credentials: true — allows cookies and Authorization headers cross-origin.

Common CORS Errors and Fixes

"No 'Access-Control-Allow-Origin' header": The server isn't responding with CORS headers at all. CORS must be enabled server-side. "Origin not allowed": The server's Access-Control-Allow-Origin doesn't match your frontend origin. Check for trailing slashes or protocol mismatches. "Credential flag is 'true' but ACAO is '*'": You set withCredentials: true but the server sends *. Change to a specific origin. "Method not allowed": The HTTP method isn't in Access-Control-Allow-Methods.

CORS Is Client-Side Only

CORS enforcement happens in the browser — server-to-server calls (cURL, Postman, Python requests, AWS Lambda) are never blocked by CORS. If your API works in Postman but not in the browser, CORS is the reason. If it fails in both, the issue is not CORS.

Quick Server Fixes

Express/Node.js: app.use(require('cors')({ origin: 'https://app.example.com' })). FastAPI/Python: app.add_middleware(CORSMiddleware, allow_origins=['https://app.example.com']). Nginx: Add add_header Access-Control-Allow-Origin https://app.example.com; to your server block. AWS API Gateway: Enable CORS in the console or set it in your OpenAPI spec under x-amazon-apigateway-cors.

← Back to Developer Tools