Target URL
Origin
Leave blank to use the current page origin.
HTTP Method
How it works
This tool sends an OPTIONS preflight to the target URL from our server with the Origin you specify, then reports the Access-Control-* headers the server returns — including for origins your browser could never test directly.
CORS headers reference
Cross-Origin Resource Sharing works via response headers the server sends:
| Header | Purpose | Example |
|---|---|---|
Access-Control-Allow-Origin | Origins allowed to read the response | https://buildstud.io or * |
Access-Control-Allow-Methods | HTTP methods allowed | GET, POST, PUT, DELETE |
Access-Control-Allow-Headers | Request headers allowed | Content-Type, Authorization |
Access-Control-Allow-Credentials | Permit cookies + Authorization header | true (incompatible with * origin) |
Access-Control-Max-Age | How long to cache preflight response (seconds) | 86400 (24 hours) |
Access-Control-Expose-Headers | Response headers JS can read | X-Total-Count |
Enabling CORS in common frameworks
// Express (Node.js)
const cors = require('cors');
app.use(cors({
origin: ['https://buildstud.io', 'https://www.webority.com'],
methods: ['GET', 'POST', 'PUT', 'DELETE'],
allowedHeaders: ['Content-Type', 'Authorization'],
credentials: true
}));
// ASP.NET Core
builder.Services.AddCors(o => o.AddDefaultPolicy(p => p
.WithOrigins("https://buildstud.io")
.AllowAnyHeader()
.AllowAnyMethod()
.AllowCredentials()));
app.UseCors();
# Django (django-cors-headers)
INSTALLED_APPS += ['corsheaders']
MIDDLEWARE = ['corsheaders.middleware.CorsMiddleware', ...]
CORS_ALLOWED_ORIGINS = ['https://buildstud.io']
# Flask (flask-cors)
from flask_cors import CORS
CORS(app, origins=['https://buildstud.io'])
# nginx (proxy layer)
add_header Access-Control-Allow-Origin 'https://buildstud.io' always;
add_header Access-Control-Allow-Methods 'GET, POST, OPTIONS' always;
# Cloudflare Worker (edge CORS injection without server changes)
const response = await fetch(request);
response.headers.set('Access-Control-Allow-Origin', 'https://buildstud.io');
return response;
Frequently Asked Questions
How do I test CORS for a REST API?
Enter the API URL and origin. The tester sends a CORS preflight (OPTIONS) and actual request from your browser, then reports whether `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods` and `Access-Control-Allow-Headers` allow your request — in real browser-enforced semantics, not simulated.
What is a CORS preflight and why does it fail?
A preflight OPTIONS request runs automatically before any non-simple cross-origin call (custom headers, non-GET methods, etc.). Server must respond with proper `Access-Control-Allow-*` headers within 10s or the real request never fires. Failure = browser blocks the call.
How do I fix a CORS error?
On the server: add `Access-Control-Allow-Origin: <your-origin>` (not `*` if sending credentials), `Access-Control-Allow-Methods: GET,POST,PUT,DELETE`, `Access-Control-Allow-Headers: Content-Type,Authorization`. For Express: `cors()` middleware. For ASP.NET: `app.UseCors()`. For nginx: `add_header Access-Control-*`.
What's the difference between a CORS and a same-origin policy?
Same-origin policy is the browser security rule: JavaScript can only read responses from the same origin (scheme + host + port). CORS is the standard way to relax it — servers explicitly opt in per-origin. Without CORS headers, the browser blocks cross-origin reads by default.
Can I bypass CORS in development?
For local dev only: browser flags like `--disable-web-security`, dev proxies (Webpack, Vite `server.proxy`), or server-side proxying. For production, the correct fix is updating server CORS headers. Never disable CORS in the browser for real users.
Related Developer Tools
Smarter quality checks. Faster deployments.
Better apps.
