CORS Checker
Check if an API accepts requests from your origin. Runs a preflight OPTIONS and an actual request, shows all Access-Control-* headers.
What is CORS?
CORS (Cross-Origin Resource Sharing) is a browser security mechanism. By default, a script on https://a.com cannot read responses from https://b.com. The server at b.com must opt in by sending Access-Control-Allow-Origin headers. For non-simple requests (POST with JSON, custom headers, etc.), the browser first sends an OPTIONS "preflight" to check permission — if the server's response does not allow your origin, method, or headers, the actual request is blocked and you see a CORS error in DevTools.
CORS response headers explained
Access-Control-Allow-OriginSpecifies which origin is allowed. Either a single origin, "*" (any), or the request origin echoed back.
Access-Control-Allow-CredentialsIf "true", browser sends cookies/auth headers. Cannot be combined with Allow-Origin: *.
Access-Control-Allow-MethodsWhich HTTP methods the server allows. Only relevant on preflight response.
Access-Control-Allow-HeadersWhich request headers the server allows. Relevant for non-simple headers like Authorization, custom X-*.
Access-Control-Expose-HeadersWhich response headers the browser can expose to JavaScript. By default only a short safelist.
Access-Control-Max-AgeHow long (seconds) the browser can cache preflight result. Higher values avoid repeat OPTIONS requests.
CORS Checker FAQ
Why does my browser show CORS errors but this tool shows headers?
CORS is enforced by the browser, not the server. This tool runs on our backend, so no CORS rules apply — we see the raw server response. Your browser blocks the request client-side based on the Access-Control-* headers. If the headers shown here do not match your origin/method/headers, the browser will block, even though the server responded.
What is a preflight OPTIONS request?
For "non-simple" cross-origin requests (anything that is not a simple GET/HEAD/POST with basic headers), the browser first sends an OPTIONS request asking "can I make this request?". The server answers with Access-Control-Allow-Methods, Access-Control-Allow-Headers, and Access-Control-Allow-Origin. If these allow your actual request, the browser proceeds. Otherwise it blocks.
Why is Access-Control-Allow-Origin: * not enough for my request?
If your request includes credentials (cookies, Authorization header, TLS client cert), the browser rejects "*" and requires a specific origin. The server must echo your exact origin in Access-Control-Allow-Origin and set Access-Control-Allow-Credentials: true.
Does CORS work for server-to-server requests?
No. CORS is purely a browser security feature. curl, Node fetch from a server, Postman, or any non-browser client ignores CORS entirely. If you see "CORS error" from a non-browser environment, the actual problem is elsewhere (network, auth, wrong URL).
How do I fix a CORS error?
Fix it on the server, not the client. Add the correct Access-Control-Allow-Origin (your frontend origin), Allow-Methods (GET/POST/etc. you use), and Allow-Headers (any custom or auth headers you send). For credentials, add Allow-Credentials: true. Make sure OPTIONS is handled and returns 2xx. Browser extensions that disable CORS are a development shortcut — never deploy a real app relying on them.