CORS Tester
Test any URL for CORS (Cross-Origin Resource Sharing) with a custom method, headers, and body — see exactly why a browser would allow or block the request.
Monitor this automatically
NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.
Start monitoring free → See all monitoring productsFrequently Asked Questions
What is this CORS tester tool about?
The CORS tester is a free tool that checks whether a given URL allows cross-origin requests. Enter the URL you want to test and the origin making the request, choose a method, optionally add headers and a body, then click Run Test. The tool sends the request, reads the server's Access-Control-* response headers, and shows you exactly whether a browser would allow or block it — and why.
What is CORS?
CORS (Cross-Origin Resource Sharing) is a browser mechanism that relaxes the Same-Origin Policy to allow controlled access to resources across different origins. By default browsers block requests between different origins; CORS lets a server opt in by returning headers such as Access-Control-Allow-Origin. For example, if your frontend runs on https://app.example.com and fetches data from https://api.example.com, the browser blocks it unless the API explicitly allows that origin. CORS is enforced entirely by the browser — tools like Postman or cURL never show CORS errors because they don't enforce the Same-Origin Policy.
How does this CORS tester work?
The tester sends the request you configure (method, headers, body) to the target URL with your chosen Origin, then inspects the server's response headers to determine whether a real browser would permit the response. When the request isn't a simple request, it first sends the OPTIONS preflight just like a browser would, and evaluates whether the preflight grants the method and headers you're using.
What is a CORS preflight request?
A preflight is an automatic OPTIONS request the browser sends before certain cross-origin requests — when you use a method other than GET, HEAD, or POST, or include non-safelisted headers like Authorization, or send a Content-Type other than application/x-www-form-urlencoded, multipart/form-data, or text/plain. The preflight asks the server which methods and headers it allows. If it fails, the browser never sends the actual request.
How do I test CORS with credentials?
Tick Include credentials and set the Origin to your frontend domain. When credentials (cookies or Authorization) are involved, the spec requires the server to return the exact origin (not *) in Access-Control-Allow-Origin and to include Access-Control-Allow-Credentials: true. The tool flags it when either is missing.
Why does my API work in Postman but fail here?
Postman and cURL are backend HTTP clients that don't enforce the browser's Same-Origin Policy — they send requests directly without any CORS checks. This tool evaluates the response the way a browser does, so it reveals CORS blocks that Postman ignores. If your API works in Postman but fails here, your server is missing the required CORS headers.
What CORS headers does this tool check?
The tool inspects all standard CORS response headers:
- Access-Control-Allow-Origin — which origin(s) may read the response.
- Access-Control-Allow-Methods — methods allowed for cross-origin requests.
- Access-Control-Allow-Headers — which request headers are permitted.
- Access-Control-Allow-Credentials — whether cookies / auth are allowed.
- Access-Control-Max-Age — how long the preflight result is cached.
- Access-Control-Expose-Headers — response headers JavaScript may read.
How do I fix "No 'Access-Control-Allow-Origin' header is present"?
This is the most common CORS error — the server didn't return an Access-Control-Allow-Origin header. Configure your server to send it. Examples:
Node.js (Express):
const cors = require('cors');
app.use(cors({ origin: 'https://example.com', credentials: true }));Python (Flask):
from flask_cors import CORS
CORS(app, origins=['https://example.com'], supports_credentials=True)Nginx:
add_header Access-Control-Allow-Origin "https://example.com" always;
add_header Access-Control-Allow-Methods "GET, POST, PUT, DELETE, OPTIONS" always;
add_header Access-Control-Allow-Headers "Content-Type, Authorization" always;
if ($request_method = OPTIONS) { return 204; }How do I fix "Method PUT is not allowed by Access-Control-Allow-Methods"?
The preflight succeeded but the server didn't list the method you're using. Add it to your CORS config, e.g. Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS.
How do I fix "Request header field … is not allowed by Access-Control-Allow-Headers"?
Your request includes a header (often Authorization) the server hasn't explicitly allowed. Add the header name to the server's Access-Control-Allow-Headers response, e.g. Access-Control-Allow-Headers: Content-Type, Authorization.
Can I test a localhost development server?
Yes. Set the Origin to your local frontend URL (e.g. http://localhost:3000 or http://localhost:5173) to simulate how your local app will interact with a remote API. Note the target URL must be reachable from this server.