CORS Headers Checker
Test CORS configuration for any URL. Debug cross-origin request issues instantly.
🔍
What CORS checks
Tests Access-Control-Allow-Origin, methods, credentials, preflight OPTIONS requests and Vary headers.
🚫
Common CORS errors
Missing CORS headers, wrong origin, blocked methods, or credentials not allowed — all diagnosed instantly.
⚡
Server-side testing
Our tool makes the request from our server so it bypasses browser CORS restrictions — seeing the raw headers.
Frequently Asked Questions
What is CORS?
Cross-Origin Resource Sharing (CORS) is a browser security feature that restricts web pages from making requests to a different domain than the one that served the page. APIs must include CORS headers to allow cross-origin requests from browsers.
Why does my API work in Postman but not in the browser?
Postman does not enforce CORS — it sends requests directly. Browsers enforce CORS for security. If your API returns the correct CORS headers, browsers will allow the request. This tool tests what headers your server actually returns.
What is a CORS preflight request?
Before sending certain cross-origin requests (non-simple requests), browsers first send an OPTIONS request to check if the server allows the operation. The server must respond with the appropriate Access-Control-Allow-* headers.