CORS Tester
Uses external APITest CORS configuration for any API endpoint — preflight, headers, pass/fail.
Test Cross-Origin Resource Sharing (CORS) headers for any URL. Sends OPTIONS preflight and actual requests from ToolDock's server, returns CORS header analysis with plain-English issues and pass/fail summary.
CORS Tester tool
Server-side — your URL is fetched from ToolDock's server to check CORS headers. The target URL receives a request from our server, not your browser.
🌐 Uses external API · See disclaimer above
How to use
Enter the target URL
Enter the API endpoint URL you want to test for CORS.
Set request origin
Enter the origin that would make the cross-origin request (e.g., https://yourapp.com).
Choose method and headers
Select the HTTP method your app uses. Add custom headers like Authorization if needed.
Review results
See the PASS/FAIL summary, the value of each CORS header, and plain-English explanations of any issues.
Common use cases
- Debugging CORS errors in the browser — Test whether a remote API returns correct CORS headers before making cross-origin requests from a web app.
- Verifying API gateway configuration — Check that an API gateway or proxy is correctly forwarding CORS headers for preflight requests.
- Testing CORS during local development — Confirm that a locally running backend allows requests from your frontend dev server origin.
Examples
Test a public API
Test https://api.github.com with origin https://example.com and method GET
OutputCORS Allowed — Access-Control-Allow-Origin: * (all origins permitted)
Frequently asked questions
- Why does CORS work in curl but not my browser?
- Browsers enforce CORS; curl does not. curl sends requests without an Origin header, so servers never apply CORS checks. Only browsers enforce the CORS policy.
- What is a preflight request?
- Before sending non-simple requests (POST with JSON, PUT, DELETE), browsers send an OPTIONS request to check if the server allows the actual request. The server must respond with appropriate Access-Control headers.
- Can I use Access-Control-Allow-Credentials with a wildcard origin?
- No. Browsers reject this combination for security reasons. If you need credentials (cookies, auth headers), you must specify an explicit origin in Access-Control-Allow-Origin, not *.
Key concepts
- CORS
- Cross-Origin Resource Sharing — a browser security mechanism that controls which origins can make requests to a server.
- Preflight request
- An OPTIONS request sent by the browser before a cross-origin request to check if the server allows the operation.
- Access-Control-Allow-Origin
- The HTTP response header that specifies which origins are permitted to access the resource.
Related tools
You might find these useful too.
- HTTP Headers Reference
Browse HTTP request and response headers with descriptions and examples.
Open - URL Parser
Parse URLs into protocol, host, path, query params, and hash.
Open - SSL Certificate Checker
Check SSL certificate validity, expiry date, issuer, and SANs for any domain.
Open - Docker Run to Compose
Convert docker run commands to docker-compose.yml YAML instantly.
Open
More api tools
- Webhook Tester
Generate a temp webhook URL to receive and inspect HTTP requests in real time.
Open - HTTP Headers Parser
Parse raw HTTP headers into a key/value table.
Open - HTTP Request Builder
Build HTTP requests visually and copy as cURL or fetch().
Open - cURL Generator
Generate cURL commands from method, URL, headers, and body instantly.
Open