What Is a CORS Header Tester?
A CORS (Cross-Origin Resource Sharing) header tester helps you verify whether a browser request from one origin would be allowed by a server's CORS configuration. CORS is a security mechanism that lets servers specify which origins can access their resources, preventing unauthorized cross-domain requests.
How to Use This CORS Tester
- Enter the request origin (the domain making the request).
- Specify the HTTP method and any custom headers.
- Configure the server's CORS settings (allowed origins, methods, headers).
- Click "Test CORS" to see pass/fail results for each check.
Key CORS Concepts
Simple requests (GET, HEAD, POST with standard headers) may not trigger a preflight. Non-simple requests send an OPTIONS preflight first. The server must respond with appropriate Access-Control-Allow-* headers. Using * for Allow-Origin permits any origin but disallows credentials.
Frequently Asked Questions
What is a preflight request?
A preflight is an OPTIONS request the browser sends before the actual request when using non-simple methods (PUT, DELETE) or custom headers. The server must respond with the correct CORS headers for the actual request to proceed.
Why does my CORS request fail even with the correct origin?
Common causes include missing allowed methods, missing allowed headers (especially for custom headers like Authorization), or the server not handling OPTIONS preflight requests properly.