CORS Tester
CORS Doesn't Have to Be Hard
Enter your API URL, verify CORS policies, and get actionable insights to resolve issues instantly. Handy tool for developers and API testers!
✅ Check CORS Headers
✅ Debug CORS Errors
✅ Ensure API Compliance
Checklist For CORS Support
- ✔ OPTIONS request should pass with 200 status Ensure the API endpoint responds to OPTIONS requests with a 200 HTTP response status code.
- ✔ 'Access-Control-Allow-Origin' in the response header The OPTIONS (preflight) response must set the 'Access-Control-Allow-Origin' header same as the 'Origin' in the HTTP request. Skip this when the given 'Origin' isn't authorized.
- ✔ 'Access-Control-Allow-Methods' in the response header The OPTIONS (preflight) response must specify allowed HTTP methods in the 'Access-Control-Allow-Methods' header.
- ✔ 'Access-Control-Allow-Headers' in the response header Ensure the 'Access-Control-Expose-Headers' header is set if custom response headers need to be exposed to the client.
- ✔ 'Access-Control-Allow-Credentials' Header Set for Credentials Confirm the 'Access-Control-Allow-Credentials' header is set to 'true' if the request requires credentials (e.g., cookies or tokens).
- ✔ Avoid Wildcard in 'Access-Control-Allow-Origin' with Credential When sending 'true' for Credentials in OPTIONS request, avoid returning '*' in 'Access-Control-Allow-Origin' in the HTTP response headers.
- ✔ Cache Preflight Responses with Access-Control-Max-Age Set 'Access-Control-Max-Age' to cache OPTIONS preflight responses and reduce overhead. This should be added in the response headers of OPTIONS call. This is optional.