CORS Tester

About the Tool

If you build web apps, you know the pain of cross-origin resource sharing errors. You make a fetch request, and the browser throws a red wall of text in your console. Our cors tester fixes this. It acts as an independent proxy that runs the exact same preflight checks your browser does, but actually shows you what went wrong instead of just blocking the connection.

I built this because debugging Access-Control-Allow-Origin issues blindly takes way too much time. You need a fast way to test cors headers online without messing with browser extensions or opening Postman. This utility sends the OPTIONS request, reads the raw response headers, and tells you exactly what to change on your server.

How to Use

Testing your endpoint takes just three quick steps.

1. Drop in your URL: Paste the full endpoint you want to test into the Target URL box.
2. Set your Origin: Type the URL of the frontend app that is trying to make the request (like https://localhost:3000).
3. Run the test: Hit the button. The tool sends a preflight OPTIONS request followed by your chosen HTTP method.

You'll immediately see a pass, fail, or warning verdict. If something fails, open the check card to see exactly how to fix your server config.

Privacy & Security

Here's the thing — testing APIs sometimes involves sensitive endpoints. Your security matters.

When you use this tool, your request routes through a secure serverless function that acts as a pass-through proxy. We do not log your endpoints, we do not store your custom headers, and we never save your API responses. The data exists in memory just long enough to test the CORS policy and send the results back to your screen. The moment you close the tab, the test is gone permanently.

Features

Most tools just ping a URL and check for a 200 OK. This one digs deeper to catch the edge cases that actually break your app.

• Preflight Analysis: Automatically sends an OPTIONS request to check what your server permits before the real request fires.
• Credential Validation: Checks if your server safely allows cookies or authorization headers without using the dangerous wildcard origin.
• Vary Header Detection: Ensures your caching layers won't accidentally serve a CORS response to the wrong domain.
• Raw Header Inspection: Gives you full visibility into the raw response headers so you can verify exactly what your server sent back.

Technical Specifications

For the developers who want to know how the testing engine works under the hood.

Frequently Asked Questions

Why does my request work in Postman but fail in the browser?

Postman is a desktop app, so it ignores CORS policies completely. Browsers actively enforce CORS to stop malicious scripts from reading your data. That's why you need a dedicated tester to verify the headers.

What is a preflight request?

A preflight is a quick OPTIONS request the browser sends before a complex request (like a POST with JSON). It asks the server, "Are you okay with me sending this?" If the server doesn't reply with the right Access-Control headers, the browser cancels the real request.

Can I just set my origin to a wildcard (*)?

You can, but there's a catch. If you use a wildcard, browsers will not let you send credentials like cookies or secure auth tokens. If your app requires users to log in, you must specify the exact origin.

Why do I need the Vary: Origin header?

If you don't use this header, a CDN might cache a response meant for site A and accidentally serve it to site B. This causes random CORS errors that are a nightmare to debug. This tool automatically checks if you've set it correctly.