CORS Tester

Test CORS configuration for any API URL. Checks Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, credentials support, and preflight OPTIONS response. Shows which headers are present/missing, whether your request would be blocked, and provides copy-paste server configuration fixes for Express.js, Nginx, and other frameworks.

CORS Headers Checked

Access-Control-Allow-Origin: Which origins are allowed (must match your origin or *). Access-Control-Allow-Methods: Which HTTP methods are allowed (GET, POST, PUT, DELETE, etc.). Access-Control-Allow-Headers: Which request headers are allowed. Access-Control-Allow-Credentials: Whether cookies/auth headers are allowed. Access-Control-Max-Age: How long preflight results are cached. Access-Control-Expose-Headers: Which response headers are exposed to JavaScript.

Preflight OPTIONS Request

Checks if the server properly responds to OPTIONS requests. Required for cross-origin requests with non-simple methods (POST with custom headers, PUT, DELETE).

Server Configuration Fixes

Express.js/Node.js: `app.use(cors())` or custom middleware. Nginx: `add_header Access-Control-Allow-Origin *;` Apache: `Header set Access-Control-Allow-Origin "*"` Python/Flask: `@app.after_request` decorator. PHP: `header('Access-Control-Allow-Origin: *');`

Common CORS Errors

No 'Access-Control-Allow-Origin' header: Server not configured for CORS. Origin not allowed: Server only allows specific origins, not yours. Credentials not allowed: Server doesn't allow cookies/auth headers. Preflight fails: OPTIONS request not handled properly.

Testing Notes

CORS tests are performed from your browser. Some APIs may block requests from browsers but work from servers. The tool shows exact request/response headers for debugging.