CORS Tester

Test Cross-Origin Resource Sharing (CORS) configuration and check Access-Control headers.

URL to Test: Test CORS Reset

---

What is CORS?

Cross-Origin Resource Sharing (CORS) is a security feature that controls how web pages from one domain can access resources from another domain. Browsers enforce CORS to prevent malicious websites from accessing your data.

How to Use the CORS Tester:

1. Enter URL: The API endpoint you want to test
2. Click Test CORS: Get instructions and test code
3. Use browser console: Run the fetch code in your browser's developer console
4. Or use cURL: Run the cURL command in your terminal
5. Check headers: Look for Access-Control-* headers in the response

Common CORS Headers:

• Access-Control-Allow-Origin: Specifies which origins can access the resource (e.g., *, https://example.com)
• Access-Control-Allow-Methods: HTTP methods allowed (GET, POST, PUT, DELETE, etc.)
• Access-Control-Allow-Headers: Which headers can be used in the request
• Access-Control-Allow-Credentials: Whether cookies/auth can be sent (true/false)
• Access-Control-Max-Age: How long preflight results can be cached (in seconds)

Common CORS Errors:

• "No 'Access-Control-Allow-Origin' header": Server doesn't allow your origin
• "CORS policy blocked": Request doesn't match allowed methods or headers
• "Credentials flag is true": Can't use wildcard (*) with credentials
• "Preflight request failed": OPTIONS request was rejected

How to Fix CORS Issues:

Server-side (Backend):

# Python Flask
from flask_cors import CORS
app = Flask(__name__)
CORS(app)

# Node.js Express
const cors = require('cors');
app.use(cors());

# Manual headers
response.setHeader('Access-Control-Allow-Origin', '*');
response.setHeader('Access-Control-Allow-Methods', 'GET, POST, PUT, DELETE');
response.setHeader('Access-Control-Allow-Headers', 'Content-Type, Authorization');

Development Workarounds:

• Use a CORS proxy (for testing only, not production!)
• Disable CORS in browser (for local development only)
• Use browser extensions like "CORS Unblock"
• Configure your API to allow your development origin

CORS Preflight Requests:

For certain requests (POST, PUT, DELETE, custom headers), browsers send an OPTIONS "preflight" request first to check if the actual request is allowed.

Best Practices:

• Don't use wildcard (*) in production - specify exact origins
• Be specific with allowed methods and headers
• Use credentials carefully - don't combine with wildcard origin
• Set appropriate max-age for preflight caching
• Test CORS in actual browser environment, not just tools

Related Tools:

• HTTP Status Codes - Understand response codes
• Webhook Tester - Test HTTP requests
• cURL to Code Converter - Convert cURL to code
• Security Header Analyzer - Check security headers
• API Response Mocker - Mock API responses