Free CORS Checker & Header Inspector
Inspect CORS headers on any URL. Check Access-Control-Allow-Origin, methods, headers, credentials, and max-age. Compare preflight vs simple requests and generate server configs. Results are fetched client-side only.
How to Use the CORS Checker
- Enter the URL you want to inspect for CORS headers.
- Select a request method (GET, POST, PUT, etc.).
- Optionally specify custom headers to test.
- Click "Check" to send the request and inspect the response headers.
- View all CORS-related headers and whether the request would be allowed or blocked.
- Use the Config Generator to create server-side CORS configuration.
Common CORS Configurations
Allow All Origins
Access-Control-Allow-Origin: *
Open to all domains. Cannot be used with credentials.
Specific Origin
Access-Control-Allow-Origin: https://example.com
Only the specified origin is allowed.
With Credentials
Access-Control-Allow-Credentials: true
Allows cookies and auth headers. Requires specific origin.
Preflight vs Simple Requests
Simple requests (GET, HEAD, POST with standard headers) are sent directly. Preflight requests (PUT, DELETE, PATCH, or custom headers) trigger an OPTIONS request first to check permissions.
| Feature | Simple Request | Preflight Request |
|---|---|---|
| Methods | GET, HEAD, POST | PUT, DELETE, PATCH |
| Headers | Standard only | Custom headers allowed |
| Extra Request | No | Yes (OPTIONS) |
Frequently Asked Questions
The most common reasons are: the server doesn't send the Access-Control-Allow-Origin header, the origin doesn't match, or credentials are used with a wildcard origin.
Yes. Enter your localhost URL (e.g., http://localhost:3000) and the tool will check the CORS headers as usual.
A preflight request is an OPTIONS request sent by the browser before the actual request to check if the server allows it. This happens for non-simple methods (PUT, DELETE, PATCH) or custom headers.
Use the Config Generator above to create the appropriate CORS configuration for your server type (.htaccess for Apache, Nginx config, or Node.js Express middleware).
Use Cases
Debug CORS Errors
Debug CORS errors in API calls by inspecting Access-Control headers and identifying why your cross-origin fetch requests are being blocked.
Access-Control Validation
Validate that your server returns correct Access-Control-Allow-Origin, methods, and headers to properly enable cross-origin resource sharing.
Preflight Configuration
Test and verify your preflight OPTIONS request configuration to ensure non-simple requests like PUT and DELETE are properly authorized.
Fetch Failure Troubleshooting
Troubleshoot cross-origin fetch failures by comparing preflight vs simple request headers and identifying missing or incorrect CORS configurations.
Server CORS Policy Check
Verify your server CORS policy is correctly configured for production by testing header values, credentials, and allowed origins before deployment.