CORS (Cross-Origin Resource Sharing) is a browser security mechanism that controls how web pages can request resources from a different origin than the page itself.

What does this tool test?

It simulates five common CORS scenarios: simple GET, preflight OPTIONS, credentialed request, allowed origin, and disallowed origin, then shows whether each would pass or fail.

Why does my API work in Postman but fail in the browser?

Postman does not enforce CORS because it is not a browser. Browsers enforce the Same-Origin Policy and require proper CORS headers from the server.

What is a preflight request?

For non-simple requests (e.g., PUT, DELETE, or custom headers), the browser first sends an OPTIONS preflight request to check if the server allows the actual request.

How do I fix a CORS error?

Add the appropriate headers on the server: Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers matching your client's needs.

CORS Policy Tester

Test and debug CORS configurations with simulated browser scenarios.

Test Origin URL

Allowed Origins (comma separated)

Separate multiple origins with commas. Use * to allow any origin (but not with credentials)

Allowed Methods

Allowed Headers (comma separated)

Expose Headers (comma separated)

Max Age (seconds) (s)

Allow Credentials

About this tool

Cross-Origin Resource Sharing (CORS) is a critical web security mechanism that controls how browsers handle requests between different domains. Misconfigured CORS policies can cause your application to fail silently, while overly permissive policies expose your API to unwanted access. The CORS Policy Tester helps developers understand and validate their server's CORS configuration by simulating real browser scenarios without needing to set up multiple domains or deploy test code.

To use this tool, enter your API endpoint URL and select the scenario that matches your use case—such as same-origin requests, cross-origin with simple headers, or complex preflight requests with custom headers or HTTP methods. The tool will simulate the browser's CORS validation process and show you exactly what headers your server should send in response, whether the request would succeed, and what error messages browsers would display if the policy is misconfigured. This makes it easy to debug CORS issues before they reach production.

This tool is invaluable for developers working with REST APIs, microservices, or any backend that needs to serve requests from web clients on different domains. It's particularly helpful when developing in local environments where your frontend and backend run on different ports, or when integrating third-party services. By testing various CORS scenarios, you can ensure your API is both secure and functional.

Frequently Asked Questions

Code Implementation

# CORS headers generator (Flask example)
from flask import Flask, request, jsonify

app = Flask(__name__)

CORS_CONFIG = {
    "allowed_origins": ["https://example.com", "https://app.example.com"],
    "allowed_methods": ["GET", "POST", "PUT", "DELETE", "OPTIONS"],
    "allowed_headers": ["Content-Type", "Authorization", "X-Requested-With"],
    "allow_credentials": True,
    "max_age": 86400,
}

def add_cors_headers(response, origin):
    allowed = CORS_CONFIG["allowed_origins"]
    if origin in allowed or "*" in allowed:
        response.headers["Access-Control-Allow-Origin"] = origin
    if CORS_CONFIG["allow_credentials"]:
        response.headers["Access-Control-Allow-Credentials"] = "true"
    response.headers["Access-Control-Allow-Methods"] = ", ".join(CORS_CONFIG["allowed_methods"])
    response.headers["Access-Control-Allow-Headers"] = ", ".join(CORS_CONFIG["allowed_headers"])
    response.headers["Access-Control-Max-Age"] = str(CORS_CONFIG["max_age"])
    return response

@app.before_request
def handle_preflight():
    if request.method == "OPTIONS":
        response = app.make_default_options_response()
        return add_cors_headers(response, request.headers.get("Origin", ""))

@app.after_request
def apply_cors(response):
    origin = request.headers.get("Origin", "")
    return add_cors_headers(response, origin)

@app.route("/api/data")
def data():
    return jsonify({"message": "CORS configured successfully"})

Comments & Feedback

Comments are powered by Giscus. Sign in with GitHub to leave a comment.