CORS Header Checker
Check CORS (Cross-Origin Resource Sharing) headers configuration for any website or API endpoint
Cross-Origin Request Configuration
How CORS Works: Enter the origin (your website) and target (API/resource) to check if cross-origin requests would be allowed.
CORS Analysis Results
Enter origin and target URLs to check CORS compatibility
About CORS Header Checker
A comprehensive CORS header checker that analyzes Cross-Origin Resource Sharing configuration for websites and API endpoints. This tool validates CORS policies, checks header implementation, and provides security recommendations for proper cross-origin request handling.
Why use a CORS Header Checker?
CORS configuration is critical for web security and API accessibility. Proper CORS headers prevent security vulnerabilities while enabling legitimate cross-origin requests. This tool helps identify misconfigurations that could block valid requests or expose security risks.
Who is it for?
Essential for API developers configuring cross-origin policies, web developers implementing secure frontend-backend communication, security engineers auditing CORS configurations, and DevOps teams managing API security. Perfect for anyone working with modern web applications that require cross-origin resource sharing.
How to use the tool
Enter the URL or API endpoint you want to check for CORS headers
Click 'Check CORS Headers' to analyze the configuration
Review the CORS headers status and security score
Examine detailed analysis of each CORS header
Follow recommendations to improve your CORS security configuration
Frequently Asked Questions
How do I check a URL's CORS headers?
Enter the target URL and optionally the origin you want to test from. The tool sends an OPTIONS preflight request (or a GET with the configured Origin header) via our backend, captures the response headers (`Access-Control-Allow-Origin`, `-Allow-Methods`, `-Allow-Headers`, `-Allow-Credentials`, `-Max-Age`), and explains what they mean. Useful for: debugging cross-origin fetch failures, verifying API CORS configuration before deployment, understanding why a request is blocked by a browser.
What is CORS and why does my fetch fail?
CORS (Cross-Origin Resource Sharing) is the browser's security mechanism for letting servers explicitly allow cross-origin requests from JavaScript. By default, a page at `https://a.com` cannot read responses from `https://b.com` via fetch/XHR. The server at b.com must opt in by sending `Access-Control-Allow-Origin: https://a.com` (or `*`). When the browser blocks a request with 'CORS error', it's actually the SERVER's missing header that's the problem — not a client-side bug. Fix on the server, not the client.
Is the request sent to a server?
Yes — the tool routes through our backend. Reason: the browser would also enforce CORS on a client-side check (you'd hit the same wall you're trying to debug). The backend acts as a server-to-server HTTP client, which isn't subject to CORS (CORS is a browser-only mechanism). We log only the target URL for rate-limiting; the response headers aren't stored. For inspecting CORS on private/staging APIs, you can also use curl: `curl -I -X OPTIONS -H 'Origin: https://yourapp.com' https://api.example.com/endpoint`.
What's a CORS preflight (OPTIONS request)?
Before sending a 'non-simple' cross-origin request (non-GET/POST, custom headers like Authorization, JSON Content-Type), browsers send an OPTIONS 'preflight' to check if the server allows it. The OPTIONS request includes `Access-Control-Request-Method` and `-Request-Headers`. The server responds with `Access-Control-Allow-Methods` and `-Allow-Headers` listing what's permitted. If the preflight fails, the real request is never sent. To allow your custom requests: configure CORS to permit the methods (PUT, DELETE, etc.) and headers (Authorization, Content-Type) you actually use.
Why does Access-Control-Allow-Origin: * not work with credentials?
Critical CORS rule. **When `Access-Control-Allow-Credentials: true` is set, `Access-Control-Allow-Origin` CANNOT be `*`** — it must be a specific origin. The browser rejects the response otherwise. Why: cookies and auth headers are sensitive; the spec requires the server to explicitly name the origin it trusts with credentials, not 'anyone'. Fix: echo the request's `Origin` header back (after validating against an allowlist) instead of using `*`. Most server-side CORS middlewares (Express's `cors`, Django, Rails) handle this automatically when configured with allowed origins.
What CORS headers should my API send?
Minimum for public read-only APIs: `Access-Control-Allow-Origin: *`. For authenticated APIs with cookies/auth headers: `Access-Control-Allow-Origin: https://yourapp.com` (specific origin) + `Access-Control-Allow-Credentials: true`. For non-simple methods: `Access-Control-Allow-Methods: GET, POST, PUT, DELETE` and `Access-Control-Allow-Headers: Content-Type, Authorization`. For caching preflight responses: `Access-Control-Max-Age: 3600`. Verify your configuration matches the request methods/headers your frontend actually uses — over-permissive CORS opens attack surface.
Common CORS errors and fixes
**'No Access-Control-Allow-Origin header'**: server doesn't allow CORS at all — configure it. **'Origin not allowed'**: server's allowlist doesn't include your origin — add it. **'Method PUT not allowed'**: add the method to `Access-Control-Allow-Methods`. **'Header Authorization not allowed'**: add it to `Access-Control-Allow-Headers`. **'Credentials mode but * origin'**: change `*` to specific origin (see above FAQ). For local dev, configure permissive CORS (`*`); for production, restrict to known origins. Test with [HTTP Header Checker](/tools/http-header-checker/) after deployment.
Does this tool actually trigger CORS, or just inspect headers?
The tool inspects what the server SENDS — it doesn't trigger browser CORS enforcement (which only happens in a real browser context). The backend issues an OPTIONS request with a configurable Origin header and reports the response. This is enough to verify the server's CORS configuration is correct. For end-to-end verification, also test in a real browser at your actual application's origin — server configuration looking correct here doesn't guarantee the browser will accept it (subtle interactions like cookie SameSite, Origin matching, redirect handling can still fail in-browser).
Share This Tool
Found this tool helpful? Share it with others who might benefit from it!
💡 Help others discover useful tools! Sharing helps us keep these tools free and accessible to everyone.