CORS debugger
Describe the page, the request, and whether cookies are involved. The tool tells you if CORS applies, simple vs preflight, and the exact headers your API must return.
~~~
One per line — e.g. authorization or content-type: application/json
~~~
Analysis
Origins —
Request type:
Required response headers
| Header | Value | Why |
|---|---|---|
Preflight OPTIONS exchange
Browser sends:
Server should respond with:
~~~
Classic CORS errors
Cause:
Fix:
~~~
About this tool
CORS is a browser security layer — not something your server enforces for curl or server-to-server calls. When JavaScript on one origin calls an API on another, the browser checks response headers before your code sees the body.
Simple GET/HEAD/POST requests skip preflight if headers and Content-Type stay within safelists. Everything else triggers an OPTIONS request first. Credentials and wildcards do not mix.
~~~