Souus Tools
Sponsor

CORS Header Checker

Free online CORS header checker and analyzer. Validate Access-Control headers, diagnose cross-origin issues, and verify preflight configuration.

Analysis

Access-Control-Allow-Origin: * — All origins allowed.
Method GET is allowed.
Allowed headers: Content-Type, Authorization
Preflight cache: 86400 seconds

What Is a CORS Header Checker?

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls how web pages on one domain can request resources from a different domain. When a frontend application at https://myapp.com tries to fetch data from https://api.example.com, the browser checks the server's CORS headers to determine whether the request is allowed. A CORS Header Checker analyzes the response headers from an API server and evaluates whether they correctly permit cross-origin requests from your specified origin, HTTP method, and custom headers. It identifies common configuration mistakes such as missing Access-Control-Allow-Origin headers, wildcard origins combined with credentials, and disallowed methods or headers.

How to Use the CORS Header Checker

  1. Enter your frontend application's origin (e.g., 'https://myapp.com') in the Request Origin field.
  2. Select the HTTP method your application uses to make the cross-origin request.
  3. Paste the response headers from your API server into the Response Headers textarea. Enter one header per line in 'Key: Value' format.
  4. Review the analysis results below. Green checkmarks indicate passing checks, yellow warnings suggest potential issues, and red crosses indicate blocking problems.

Common Use Cases

  • Debugging CORS Errors — When your browser console shows 'Access to fetch has been blocked by CORS policy', paste the response headers here to quickly identify what's missing or misconfigured.
  • Server Configuration Validation — Before deploying API changes, verify that your CORS headers correctly allow the expected origins, methods, and custom headers without being overly permissive.
  • Security Review — Audit your API's CORS configuration to ensure it follows security best practices — no wildcard origins with credentials, appropriate preflight caching, and minimal allowed headers.
  • Teaching & Learning CORS — Understand how different CORS header combinations affect browser behavior by experimenting with various configurations and seeing the analysis results in real-time.

FAQ

What is a CORS preflight request?
A preflight request is an automatic OPTIONS request sent by the browser before the actual request when using non-simple methods (PUT, PATCH, DELETE), custom headers, or certain content types. The server must respond with appropriate Access-Control-Allow-* headers. The Access-Control-Max-Age header controls how long the browser caches preflight results.
Why can't I use Access-Control-Allow-Origin: * with credentials?
When a request includes credentials (cookies or HTTP authentication), the browser requires the server to respond with the exact origin in Access-Control-Allow-Origin, not the wildcard *. This prevents any website from making authenticated requests to your API. You must echo back the specific requesting origin.
What are 'simple requests' that don't require preflight?
Simple requests use GET, HEAD, or POST methods with only standard headers (Accept, Accept-Language, Content-Language, Content-Type with values application/x-www-form-urlencoded, multipart/form-data, or text/plain). Any other combination triggers a preflight OPTIONS request.
Does this tool send actual requests to test CORS?
No, this tool performs purely offline analysis. You paste the response headers and it evaluates them against your specified origin and method. To get the actual response headers, you can use browser DevTools Network tab, curl with -I flag, or any HTTP client.

関連ツール

HTTP Status Codes Reference - Complete Status Code GuideHTTP Request Builder