Test cross-origin resource sharing for any URL and origin. See all Access-Control headers, preflight results, and whether your request would be allowed or blocked.
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which domains can make requests to your API or server. By default, browsers block requests from one origin (e.g. yoursite.com) to another (e.g. api.example.com). The server must explicitly allow cross-origin requests via Access-Control headers.
The most common reasons are: the server is not returning an Access-Control-Allow-Origin header, the returned origin doesn't match your site's origin, or credentials are being sent with a wildcard (*) origin (which is not allowed). Our CORS Checker sends the exact headers a browser would send and shows you the server's response.
For certain types of requests (non-GET/POST, or requests with custom headers), browsers send an OPTIONS request first to check if the actual request is allowed. This is called a preflight. Our tool automatically sends both the simple request and the preflight OPTIONS request so you can see both sets of results.
CORS is enforced by browsers β server-to-server requests are not subject to CORS. A common workaround for CORS issues is to create a server-side proxy that makes the request on behalf of the browser. Our CORS Checker makes the request from our server so it can see the headers your server returns, bypassing browser CORS enforcement.
To fix CORS errors: 1) On your server, add the Access-Control-Allow-Origin header with your frontend domain, 2) Add Access-Control-Allow-Methods for the HTTP methods you use, 3) Add Access-Control-Allow-Headers for custom headers, 4) For credentials, set Access-Control-Allow-Credentials: true and specify an exact origin (not wildcard). Use InfiniUm Tools CORS Checker to verify your configuration works correctly.