CORS tester
Send a preflight + actual request from a configurable Origin and see exactly which CORS headers the server returns — with pass/fail diagnostics.
/tools/cors helps debug "why does my fetch fail in the browser but work in curl" by reproducing exactly what a browser does:
- For non-simple methods (PUT, PATCH, DELETE, etc.) it sends an OPTIONS preflight with
Origin,Access-Control-Request-MethodandAccess-Control-Request-Headers. - Then it sends the actual request with the supplied Origin.
- Both responses show every CORS header the server returned:
Access-Control-Allow-Origin,-Allow-Credentials,-Allow-Methods,-Allow-Headers,-Expose-Headers,-Max-Age, andVary.
Diagnostic checks flag the common mistakes:
- Origin not allowed (or no
Access-Control-Allow-Originreturned at all). - Preflight doesn't list the requested method.
Access-Control-Allow-Origin: *combined withAllow-Credentials: true— invalid per spec, browsers will reject the response.
Useful when integrating a third-party API, configuring a new endpoint, or chasing the maddening "request blocked by CORS policy" error.