🌍 CORS Tester
Send a CORS preflight (OPTIONS) and real request from a chosen Origin to verify Access-Control-Allow-Origin / Methods / Headers / Credentials / Max-Age.
100% Free
No signup
Server-side
No logs / DB
Rate-limited
5 languages
Dark mode
📚 CORS Basics
• Browsers block fetch / XHR to different origins. That is the same-origin policy.
• CORS lets the server declare "allowed origins" via Access-Control-Allow-Origin.
• A preflight request is an OPTIONS request that the browser sends before the actual request. It occurs when using custom headers or non-simple methods (PUT, DELETE, etc.).
• Access-Control-Allow-Credentials: true cannot be combined with Access-Control-Allow-Origin: * — must use a specific origin.