← back to flaviocopes.com

CORS debugger

← All tools

Describe the page, the request, and whether cookies are involved. The tool tells you if CORS applies, simple vs preflight, and the exact headers your API must return.

~~~

One per line — e.g. authorization or content-type: application/json

~~~

Analysis

~~~

Classic CORS errors

~~~

About this tool

CORS is a browser security layer — not something your server enforces for curl or server-to-server calls. When JavaScript on one origin calls an API on another, the browser checks response headers before your code sees the body.

Simple GET/HEAD/POST requests skip preflight if headers and Content-Type stay within safelists. Everything else triggers an OPTIONS request first. Credentials and wildcards do not mix.

~~~

Read more