ZenovayTools

CORS Checker

Test Cross-Origin Resource Sharing (CORS) headers for any URL. Check if an API or resource allows requests from your domain.

How to Use CORS Checker

  1. 1Enter the API or resource URL you want to test.
  2. 2Optionally specify the Origin header to test (defaults to our server).
  3. 3See all CORS response headers and whether cross-origin requests are allowed.
  4. 4Use the diagnostics to fix CORS misconfigurations.
Zenovay

Track your website performance

Real-time analytics, session replay, heatmaps, and AI insights. 2-minute setup, privacy-first.

Try Zenovay Analytics — Free

Related Tools

JSON Formatter & ValidatorFormat, validate, and beautify JSON data with syntax highlighting and error detection.
JWT DecoderDecode and inspect JWT tokens. View header, payload, and verify signatures.
Base64 Encode/DecodeEncode text to Base64 or decode Base64 back to text. Supports UTF-8 and binary data.
URL Encode/DecodeEncode or decode URL components. Handle special characters, query strings, and full URLs.

Frequently Asked Questions

What is CORS and why does it matter?
Cross-Origin Resource Sharing (CORS) is a browser security mechanism that controls which websites can make requests to your API or server. Without proper CORS headers, browsers will block JavaScript fetch/XHR requests from other domains. Misconfigured CORS can either break legitimate integrations or expose your API to unauthorized access.
What does this CORS checker test?
It sends an OPTIONS preflight request (and fallback GET) to your URL with the specified origin, then inspects all Access-Control-Allow-* response headers. It checks whether the origin is allowed, what methods and headers are permitted, whether credentials are supported, and flags security issues like wildcard+credentials conflicts.
What is the difference between a simple request and a preflight?
Simple requests (GET/POST with standard headers) are sent directly. Preflight requests are OPTIONS requests sent by browsers before the real request to check if the server permits the cross-origin call. This checker tests the preflight path, which is what most APIs with custom headers or non-simple methods require.
Why is Access-Control-Allow-Origin: * a security issue?
A wildcard (*) allows any website to read your server's responses. For public APIs this may be intentional, but for APIs handling authenticated data it means any malicious website could potentially access your users' data if the user visits it. Use specific origins like https://yourdomain.com instead.
Can I use credentials with a wildcard origin?
No. The CORS specification explicitly prohibits combining Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true. Browsers will reject this combination. To allow credentials, you must reflect the specific request Origin in your Access-Control-Allow-Origin response header.
What does "Access-Control-Max-Age" do?
Max-Age tells browsers how long (in seconds) to cache the preflight response. Without it, browsers send an OPTIONS preflight before every cross-origin request, adding latency. Setting it to 86400 (24 hours) is common for stable APIs. Chrome caps it at 7200s, Firefox at 86400s.
My CORS check passes but my browser still blocks the request — why?
This tool checks server-level CORS headers but cannot simulate all browser behavior. Common issues: (1) The request includes non-simple headers not listed in Access-Control-Allow-Headers, (2) Credentials are sent but server returns wildcard origin, (3) The response includes cookies setting SameSite=None without Secure, (4) A redirect changes the origin. Check the browser DevTools Network tab for the exact error.