What is CORS?
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls how web pages can request resources from a different origin (domain, protocol, or port). Without CORS headers, browsers block cross-origin requests to protect users from malicious sites reading data from other domains.
Servers opt in to cross-origin access by including Access-Control-Allow-Origin and related headers in their responses. For non-simple requests the browser sends an OPTIONS preflight request first to verify permission before making the actual request.
How it works
When a browser makes a cross-origin request with a custom method or headers, it first sends a preflight OPTIONS request containing Origin, Access-Control-Request-Method, and Access-Control-Request-Headers. The server must respond with matching Access-Control-Allow-* headers. If the preflight passes, the browser proceeds with the actual request and checks the response headers again. This tool makes both requests server-side (bypassing browser restrictions) and reports what the browser would see.
How to use this tool
- Enter a target URL to check its CORS configuration
- Expand Advanced options to simulate requests from a specific origin or with a specific HTTP method
- Review the preflight (OPTIONS) and actual (GET) response headers separately
- Click any header row to expand a plain-English explanation and the raw header value
- The overall verdict summarises whether requests from the simulated origin would succeed
Common use cases
- Diagnosing
No 'Access-Control-Allow-Origin' headerbrowser errors when calling APIs - Verifying that a REST API allows requests from a specific frontend domain
- Checking whether
Access-Control-Allow-Credentials: trueis correctly paired with a non-wildcard origin for cookie-based auth - Confirming CDN or reverse proxy CORS configuration without needing a browser dev-tools session
- Testing that
Access-Control-Max-Ageis set to reduce unnecessary preflight overhead