CORS Tester

What is CORS and why do I need it?

CORS (Cross-Origin Resource Sharing) is a security feature that controls which websites can access your API. Browsers block cross-origin requests by default for security. CORS headers tell the browser which origins are allowed to make requests.

Why am I getting a CORS error?

CORS errors occur when your frontend (e.g., localhost:3000) tries to access an API on a different domain that hasn't explicitly allowed your origin. The server needs to include Access-Control-Allow-Origin header in its response.

What is a preflight request?

Preflight is an OPTIONS request the browser sends before the actual request for "complex" requests (POST with JSON, custom headers, etc.). The server must respond with correct CORS headers for the actual request to proceed.

How do I fix CORS errors?

Add CORS headers to your server response. The main header is Access-Control-Allow-Origin which should include your frontend origin. For requests with credentials or custom headers, you also need Access-Control-Allow-Credentials and Access-Control-Allow-Headers.

What headers does CORS check?

Key headers: Access-Control-Allow-Origin (required), Access-Control-Allow-Methods (for preflight), Access-Control-Allow-Headers (for custom headers), Access-Control-Allow-Credentials (for cookies), and Access-Control-Max-Age (preflight cache).

Can I use * for Access-Control-Allow-Origin?

Yes, but not with credentials. If your API uses cookies or Authorization headers, you cannot use wildcard (*). You must specify the exact origin like "https://yourdomain.com".

Is this CORS tester free?

Yes, 100% free with no limits. Test unlimited URLs with all features. No signup required, no watermarks.

Is my data secure?

We only make OPTIONS/HEAD requests to check headers. No actual data is sent to your API. Your origin and target URLs are not stored or logged.