CORS Checker
Test whether a URL returns the right CORS headers for a given origin and method. Inspect preflight, credentials, and allowed methods - all from your browser, no signup.
What it checks
Every header the browser cares about, surfaced clearly.
One real cross-origin request, one full report - covering preflight, methods, credentials, and cache.
Access-Control-Allow-Origin
Reads the allowed origin returned by the server, whether it's a wildcard (*), an exact URL, or absent - the single most common reason a fetch fails in the browser.
Preflight (OPTIONS) handling
Sends a real OPTIONS preflight request with your chosen method and inspects whether the server responds with a valid Access-Control-Allow-Methods and Allow-Headers set.
Credentials policy
Flags the invalid combination of Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true - the silent footgun that breaks cookied requests.
Allowed headers and methods
Lists the methods and request headers the server says it will accept so you can verify your client matches the server's allowlist.
Max-Age caching
Shows the Access-Control-Max-Age value - how long the browser caches the preflight result. A missing value means a preflight on every single request.
Simple vs preflighted
Classifies the request as simple (no preflight required) or preflighted, so you understand whether the browser will send one or two round trips.
How it works
Three fields, a real preflight, an honest verdict.
No browser extension, no curl gymnastics - paste, pick, read.
Paste the API URL
Enter the full endpoint URL you want to test, including the scheme. Anything you can fetch in a browser works here.
Set origin and method
Pick the origin your front-end will call from, and the HTTP method (GET, POST, PUT, DELETE, PATCH). The checker uses these for the preflight.
Read the verdict
You'll see every CORS response header, whether the request would succeed in a real browser, and exactly which header is missing or wrong.
Why CORS matters
The invisible layer between your API and your front-end.
When CORS is wrong, nothing in the network panel makes sense. When it's right, you forget it exists.
API access
A single missing Access-Control-Allow-Origin blocks every cross-origin fetch your front-end tries to make. Your API returns a 200, your browser shows a CORS error, and the user sees a broken page.
Security
Wildcarding Allow-Origin: * on a cookied API is the CORS equivalent of leaving the front door open. A precise origin list and a deliberate credentials policy is the line between safe and exploited.
Developer time
CORS errors are some of the most-Googled, least-understood bugs in web development. A quick, honest check from outside your stack saves hours of poking at middleware and proxy configs.
Reference
The CORS response headers, explained.
The headers the browser reads to decide whether your fetch lives or dies.
Access-Control-Allow-Origin
The allowed origin. Either a single URL, * (wildcard), or null. Wildcards cannot be combined with credentials.
Access-Control-Allow-Methods
Returned on preflight. The HTTP methods the server will accept for the actual request - GET, POST, PUT, DELETE, PATCH, and so on.
Access-Control-Allow-Headers
Returned on preflight. The custom request headers the server will accept, like Authorization or Content-Type for non-simple values.
Access-Control-Allow-Credentials
When true, the browser will send cookies and Authorization headers. Requires an exact origin in Allow-Origin - wildcards are rejected.
Access-Control-Max-Age
Seconds the browser may cache the preflight result. Without it, every cross-origin call pays the cost of an extra round trip.
Access-Control-Expose-Headers
Names the response headers your JavaScript is allowed to read. Anything not listed (and not on the safelist) is hidden from fetch().
FAQ
Frequently asked questions.
Quick answers about CORS, preflight, and the checker.
Why does my CORS request work in Postman but not in the browser?
Postman ignores CORS - it's a browser-only security mechanism. If a call works in Postman or curl but fails in the browser, the server is the problem: it's not returning the headers the browser requires for cross-origin access.
Can I use Access-Control-Allow-Origin: * with credentials?
No - this combination is forbidden by the CORS spec and the browser will reject the request. If you need cookies or Authorization headers, the server must echo back the specific origin (and set Vary: Origin to keep caches honest).
What's the difference between a simple request and a preflight?
Simple requests (GET, HEAD, or POST with a small set of content types) skip preflight and go straight to the server. Anything else - PUT, DELETE, JSON POSTs with custom headers - triggers an OPTIONS preflight first.
Why am I getting a CORS error on a same-origin request?
Usually it isn't actually same-origin. Check scheme (http vs https), subdomain (www vs apex), and port - any difference makes it cross-origin. Redirects across origins also trigger CORS.
How accurate is this checker?
It sends a real request from our edge and reads the actual response headers - the same headers your browser would see. If the headers are wrong here, they're wrong for your users too.
Can SiteTrak monitor CORS configuration over time?
Yes. SiteTrak can watch your API endpoints and alert the moment a CORS header changes or disappears - common after deploys, CDN config drift, or middleware rewrites.
Keep going
Other free tools you'll like.
Run one once, or set up SiteTrak and never run them again.
HTTP Header Inspector
Inspect every response header, redirect, cache directive, and CDN signature for any URL.
Security Headers
Grade your site's security headers (HSTS, CSP, X-Frame-Options) and get a letter score.
Redirect Checker
Trace every hop in a redirect chain, with status codes and final destination.
SSL / TLS Checker
Inspect the certificate, expiry, issuer, and TLS version for any domain.