CORS Header Checker
Check CORS response headers for allowed origins, credentials, methods, request headers, preflight behavior, and common browser issues.
CORS Analysis Result
Privacy Note
CORS header analysis happens locally in your browser. The headers you paste are not uploaded, stored, or processed on an external server.
Checking CORS Headers Before Debugging Browser API Errors
CORS controls whether a browser allows a page from one origin to read a response from another origin. An API can work in cURL, Postman, or server-side code but still fail in the browser when the response does not include the CORS headers the browser expects.
This checker reviews pasted response headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, Access-Control-Max-Age, Access-Control-Expose-Headers, and Vary. It also lets you add the request origin, method, and request headers so the warnings are closer to your real browser request.
The result is a practical debugging report, not a live network test. It helps you notice common CORS mistakes before changing server, CDN, API gateway, or reverse proxy configuration.
How to Use the CORS Header Checker
- Copy the response headers from DevTools, logs, or an API client.
- Paste the headers into the response header box.
- Add the browser request origin, method, and request headers if known.
- Click Analyze CORS Headers.
- Review missing headers, unsafe combinations, and preflight notes.
Common CORS Issues This Tool Checks
- Missing Access-Control-Allow-Origin headers.
- Wildcard origin used with credentialed requests.
- Multiple origins placed in one Access-Control-Allow-Origin value.
- Request methods not listed in Access-Control-Allow-Methods.
- Custom request headers not listed in Access-Control-Allow-Headers.
- Missing Vary: Origin when allowed origins are dynamic.
- Invalid or unusually high Access-Control-Max-Age values.
Example CORS Response Headers
Response headers:
Access-Control-Allow-Origin: https://app.example.com Access-Control-Allow-Methods: GET, POST, OPTIONS Access-Control-Allow-Headers: Content-Type, Authorization Access-Control-Allow-Credentials: true Access-Control-Max-Age: 600 Vary: Origin
Useful request context:
Origin: https://app.example.com Method: POST Request headers: Content-Type, Authorization
CORS Checker Limitations
- No live request: This tool checks pasted headers only. It does not fetch the URL or run a real preflight request.
- Browser behavior matters: CORS is enforced by browsers. Server-side clients like cURL are not blocked in the same way.
- Credentials need extra care: Cookies, HTTP authentication, and client certificates should not be combined with broad wildcard CORS rules.
- Server routing still matters: A correct header on one route does not prove that every API route, error route, or OPTIONS response is configured correctly.
Frequently Asked Questions
What is CORS?
CORS means Cross-Origin Resource Sharing. It is a browser mechanism that lets a server say which origins may read selected cross-origin responses.
Why does my API work in Postman but fail in the browser?
Postman and cURL are not restricted by browser CORS checks. A browser request can fail if the response or preflight response does not include the required CORS headers.
Can I use Access-Control-Allow-Origin: *?
A wildcard can be suitable for public, non-credentialed resources. Do not use it with credentialed requests that depend on cookies, HTTP authentication, or client certificates.
Does this tool test my live API?
No. It analyzes the response headers you paste. Use browser DevTools and server logs to confirm live route behavior.
Are pasted headers uploaded anywhere?
No. The check runs locally in your browser.
