Network & web
CORS Checker
Test a public URL with a browser-style CORS preflight request and inspect Access-Control headers.
Public HTTP/HTTPS URLs only. Local/private targets and non-standard ports are blocked before the preflight request.
How to use this tool
Enter a public HTTP or HTTPS URL that should be reachable by browsers.
Set the Origin, request method, and optional request headers that your frontend will send.
Run the preflight check and review Access-Control response headers, warnings, and whether the browser would likely allow the request.
What a CORS preflight checks
A browser sends an OPTIONS preflight request before certain cross-origin requests, especially requests with non-simple methods or custom headers.
The server must answer with Access-Control-Allow-Origin, Access-Control-Allow-Methods, and sometimes Access-Control-Allow-Headers.
If the preflight fails, the browser blocks frontend JavaScript from reading or completing the cross-origin request even if the server is otherwise reachable.
Common CORS mistakes
Access-Control-Allow-Origin must match the requesting origin or be `*` for public non-credentialed resources.
Wildcard origin cannot be used together with credentialed browser requests.
If your frontend sends `Authorization` or `Content-Type: application/json`, the preflight response must allow those headers.
Redirects, 401 responses, and missing OPTIONS handlers often break preflight requests before the actual API call is sent.
Security boundaries
CORS is a browser access-control mechanism, not server-side authentication.
It does not stop curl, backend services, bots, or attackers from making direct requests to a public API.
Protect sensitive endpoints with authentication and authorization first, then configure CORS only for the browser origins that need access.
Examples
Frontend app calling an API
The API should allow the exact origin, POST, and both requested headers.
InputOrigin: https://app.example.com Method: POST Headers: authorization, content-type
Public read-only resource
Wildcard origin is fine for public resources that do not use cookies or credentials.
OutputAccess-Control-Allow-Origin: *
FAQ
Does CORS protect my API from attackers?
No. CORS only controls what browser JavaScript can read across origins. Your API still needs authentication, authorization, rate limits, and input validation.
Why does my request work in curl but fail in the browser?
curl is not restricted by browser CORS rules. Browser JavaScript is, so the server must return the right Access-Control headers.
Can I use Access-Control-Allow-Origin: * with cookies?
No. Credentialed browser requests require a specific allowed origin and Access-Control-Allow-Credentials: true.
Does this checker follow redirects?
No. Redirects are reported but not followed, because redirected preflight requests can fail in browsers and can hide configuration problems.