CORS Tester Online: Diagnose Cross-Origin Resource Sharing Issues

March 31, 2026 · 12 min read

Understanding CORS and Its Importance

Cross-Origin Resource Sharing (CORS) is a security mechanism implemented in web browsers that controls how web applications can request resources from different origins. Think of it as a bouncer at a club—it decides who gets in and who doesn't based on a specific set of rules.

By default, browsers enforce the Same-Origin Policy (SOP), which prevents JavaScript running on one domain from accessing resources on another domain. This is a fundamental security feature that protects users from malicious scripts. However, modern web applications often need to communicate with APIs and services hosted on different domains, which is where CORS comes in.

CORS provides a standardized way for servers to tell browsers: "Yes, it's okay for this particular website to access my resources." Without proper CORS configuration, legitimate cross-origin requests will be blocked, breaking functionality in your web applications.

Consider a real-world scenario: You're building an e-commerce platform where the frontend is hosted on https://myshop.com, but your product inventory API lives on https://api.inventory-service.com. Without CORS headers, your frontend JavaScript won't be able to fetch product data, leaving your customers staring at empty shelves.

CORS becomes even more critical when you're working with:

• Third-party APIs that your frontend needs to access directly
• Microservices architectures where different services run on different domains
• Content Delivery Networks (CDNs) serving assets from different origins
• Single Page Applications (SPAs) that communicate with backend APIs
• Web fonts, images, or other resources loaded from external domains

How CORS Works: The Technical Deep Dive

Understanding how CORS works under the hood helps you diagnose issues more effectively. The CORS mechanism involves two types of requests: simple requests and preflight requests.

Simple Requests

A simple request is one that meets all of these conditions:

• Uses one of these HTTP methods: GET, HEAD, or POST
• Only includes CORS-safe headers like Accept, Accept-Language, Content-Language, or Content-Type
• If Content-Type is used, it must be application/x-www-form-urlencoded, multipart/form-data, or text/plain

For simple requests, the browser sends the request directly with an Origin header. The server responds with an Access-Control-Allow-Origin header indicating whether the origin is permitted. If the header matches the requesting origin (or is set to *), the browser allows the response to be read by the JavaScript code.

Preflight Requests

Any request that doesn't meet the simple request criteria triggers a preflight request. This is an OPTIONS request sent by the browser before the actual request to check if the CORS protocol is understood and the actual request is safe to send.

The preflight request includes headers like:

• Access-Control-Request-Method: The HTTP method of the actual request
• Access-Control-Request-Headers: Custom headers that will be sent with the actual request
• Origin: The origin making the request

The server must respond to the preflight with appropriate CORS headers indicating what's allowed. Only if the preflight succeeds does the browser send the actual request.

Common CORS Issues and Error Messages

CORS errors are among the most frustrating issues developers encounter. Let's break down the most common problems and what they actually mean.

Missing Access-Control-Allow-Origin Header

This is the most common CORS error you'll see. The browser console will show something like:

Access to fetch at 'https://api.example.com/data' from origin 'https://myapp.com' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource.

This means the server didn't include the required CORS header in its response. The fix is straightforward: configure your server to send the Access-Control-Allow-Origin header with either the specific origin or * for public APIs.

Incorrect HTTP Method

When you try to use an HTTP method that the server hasn't explicitly allowed, you'll see an error like:

Access to fetch at 'https://api.example.com/data' from origin 'https://myapp.com' has been blocked by CORS policy: Method PUT is not allowed by Access-Control-Allow-Methods in preflight response.

This happens during the preflight phase. Your server needs to include the HTTP method in the Access-Control-Allow-Methods header.

Credentials Not Supported

If you're trying to send cookies or authentication headers but the server isn't configured for it, you'll encounter:

Access to fetch at 'https://api.example.com/data' from origin 'https://myapp.com' has been blocked by CORS policy: The value of the 'Access-Control-Allow-Credentials' header in the response is '' which must be 'true' when the request's credentials mode is 'include'.

To fix this, the server must send Access-Control-Allow-Credentials: true, and importantly, cannot use Access-Control-Allow-Origin: * when credentials are involved—it must specify the exact origin.

Custom Headers Not Allowed

Modern applications often use custom headers for API keys, authentication tokens, or other metadata. If these aren't explicitly allowed, you'll see:

Request header field x-api-key is not allowed by Access-Control-Allow-Headers in preflight response.

The solution is to include your custom headers in the Access-Control-Allow-Headers response header.

Using a CORS Tester Effectively

A CORS tester is an invaluable tool for diagnosing cross-origin issues without writing code. It simulates browser requests and shows you exactly what CORS headers are being sent and received. You can use our CORS Tester to quickly diagnose issues.

What a Good CORS Tester Should Do

An effective CORS testing tool should provide:

• The ability to specify the target URL and origin
• Options to select different HTTP methods (GET, POST, PUT, DELETE, etc.)
• Custom header configuration to test specific scenarios
• Clear display of both request and response headers
• Indication of whether the CORS check passed or failed
• Detailed error messages explaining what went wrong

Step-by-Step Testing Process

Here's how to use a CORS tester effectively:

1. Enter the API endpoint URL you want to test
2. Specify the origin that will be making the request (your frontend domain)
3. Select the HTTP method your application will use
4. Add any custom headers your application sends (like Authorization or X-API-Key)
5. Run the test and examine the results
6. Review the response headers to see what CORS policies are in place
7. Identify missing or incorrect headers that need to be configured on the server

Interpreting Test Results

When you run a CORS test, pay attention to these key indicators:

• Preflight status: Did the OPTIONS request succeed? If not, your server might not be handling preflight requests correctly.
• Access-Control-Allow-Origin value: Does it match your origin or is it set to *? If it doesn't match, the request will fail.
• Allowed methods: Is your intended HTTP method listed in Access-Control-Allow-Methods?
• Allowed headers: Are all your custom headers included in Access-Control-Allow-Headers?
• Credentials support: If you need to send cookies, is Access-Control-Allow-Credentials set to true?

You can also use our HTTP Headers Analyzer to get a detailed breakdown of all headers being sent and received, which complements CORS testing perfectly.

Practical Examples of Diagnosing CORS Problems

Example 1: Social Media Integration

Let's say you're building a social media dashboard that aggregates posts from multiple platforms. Your frontend at https://dashboard.example.com needs to fetch data from https://api.socialmedia.com.

You're making a POST request to create a new post, but you keep getting CORS errors. Here's how to diagnose it:

1. Open your CORS tester and enter https://api.socialmedia.com/posts
2. Set the origin to https://dashboard.example.com
3. Select POST as the method
4. Add the Content-Type header: application/json
5. Add your Authorization header: Bearer your-token-here
6. Run the test

The test reveals that the server only allows GET requests. The Access-Control-Allow-Methods header shows: GET, HEAD, OPTIONS. You need to contact the API provider to enable POST requests, or check if there's a different endpoint for creating posts.

Example 2: E-commerce Inventory System

Your e-commerce site at https://shop.example.com pulls inventory data from https://inventory.example.com. The API requires a custom header X-Shop-ID to identify which store is making the request.

Testing reveals the error: "Request header field x-shop-id is not allowed by Access-Control-Allow-Headers in preflight response."

The solution: Update your inventory service to include X-Shop-ID in the Access-Control-Allow-Headers response. After the fix, your CORS tester should show this header in the allowed list.

Example 3: Payment Gateway Integration

You're integrating a payment gateway that requires sending user credentials (cookies) with each request. Your application at https://checkout.mystore.com calls https://payments.gateway.com.

The CORS test shows:

• Access-Control-Allow-Origin: *
• Access-Control-Allow-Credentials: false

This configuration won't work for credentialed requests. The payment gateway needs to:

1. Change Access-Control-Allow-Origin from * to https://checkout.mystore.com
2. Set Access-Control-Allow-Credentials: true

This is a security requirement—browsers won't allow wildcard origins when credentials are involved.

Implementing CORS on the Server Side

Understanding how to implement CORS on various server platforms is crucial for fixing issues at the source. Let's look at implementations across popular technologies.

Node.js with Express

The most straightforward way to add CORS support in Express is using the cors middleware:

const express = require('express');
const cors = require('cors');
const app = express();

// Simple usage - allows all origins
app.use(cors());

// Configured usage - more control
app.use(cors({
  origin: 'https://myapp.com',
  methods: ['GET', 'POST', 'PUT', 'DELETE'],
  allowedHeaders: ['Content-Type', 'Authorization', 'X-API-Key'],
  credentials: true,
  maxAge: 86400 // 24 hours
}));

app.get('/api/data', (req, res) => {
  res.json({ message: 'CORS is working!' });
});

app.listen(3000);

For more granular control, you can use a function to dynamically determine allowed origins:

const corsOptions = {
  origin: function (origin, callback) {
    const allowedOrigins = [
      'https://myapp.com',
      'https://staging.myapp.com',
      'http://localhost:3000'
    ];
    
    if (!origin || allowedOrigins.indexOf(origin) !== -1) {
      callback(null, true);
    } else {
      callback(new Error('Not allowed by CORS'));
    }
  },
  credentials: true
};

app.use(cors(corsOptions));

Python with Flask

Flask applications can use the flask-cors extension:

from flask import Flask
from flask_cors import CORS

app = Flask(__name__)

# Simple usage
CORS(app)

# Configured usage
CORS(app, resources={
    r"/api/*": {
        "origins": ["https://myapp.com"],
        "methods": ["GET", "POST", "PUT", "DELETE"],
        "allow_headers": ["Content-Type", "Authorization"],
        "supports_credentials": True,
        "max_age": 86400
    }
})

@app.route('/api/data')
def get_data():
    return {'message': 'CORS is working!'}

PHP

For PHP applications, you can set CORS headers manually:

<?php
// Handle preflight requests
if ($_SERVER['REQUEST_METHOD'] === 'OPTIONS') {
    header('Access-Control-Allow-Origin: https://myapp.com');
    header('Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS');
    header('Access-Control-Allow-Headers: Content-Type, Authorization, X-API-Key');
    header('Access-Control-Allow-Credentials: true');
    header('Access-Control-Max-Age: 86400');
    http_response_code(204);
    exit;
}

// Set CORS headers for actual requests
header('Access-Control-Allow-Origin: https://myapp.com');
header('Access-Control-Allow-Credentials: true');

// Your API logic here
echo json_encode(['message' => 'CORS is working!']);
?>

Nginx Configuration

If you're using Nginx as a reverse proxy, you can handle CORS at the server level:

server {
    listen 80;
    server_name api.example.com;

    location /api/ {
        if ($request_method = 'OPTIONS') {
            add_header 'Access-Control-Allow-Origin' 'https://myapp.com' always;
            add_header 'Access-Control-Allow-Methods' 'GET, POST, PUT, DELETE, OPTIONS' always;
            add_header 'Access-Control-Allow-Headers' 'Content-Type, Authorization, X-API-Key' always;
            add_header 'Access-Control-Allow-Credentials' 'true' always;
            add_header 'Access-Control-Max-Age' 86400 always;
            add_header 'Content-Length' 0;
            add_header 'Content-Type' 'text/plain';
            return 204;
        }

        add_header 'Access-Control-Allow-Origin' 'https://myapp.com' always;
        add_header 'Access-Control-Allow-Credentials' 'true' always;
        
        proxy_pass http://backend:3000;
    }
}

CORS Headers Explained in Detail

Understanding each CORS header and its purpose helps you configure your server correctly and troubleshoot issues faster.

Response Headers (Server to Browser)

Access-Control-Allow-Origin

This is the most critical CORS header. It specifies which origins are allowed to access the resource. Values can be:

• * - Allows any origin (not recommended for sensitive data)
• A specific origin like https://myapp.com
• null - Rarely used, allows requests with null origin

You cannot specify multiple origins in a single header. If you need to allow multiple origins, implement server-side logic to check the request origin and respond with the matching allowed origin.

Access-Control-Allow-Methods

Specifies which HTTP methods are allowed when accessing the resource. Common values include:

• GET, POST, PUT, DELETE, PATCH, OPTIONS

This header is only sent in response to preflight requests.

Access-Control-Allow-Headers

Lists which HTTP headers can be used during the actual request. This is crucial for custom headers like:

• Authorization - For authentication tokens
• Content-Type - For specifying request body format
• X-API-Key - For API key authentication
• X-Requested-With - Often used by AJAX libraries

Access-Control-Allow-Credentials

Indicates whether the response can be exposed when the credentials flag is true. Must be set to true if you're sending cookies, authorization headers, or TLS client certificates. When this is true, Access-Control-Allow-Origin cannot be *.

Access-Control-Max-Age

Specifies how long (in seconds) the results of a preflight request can be cached. This reduces the number of preflight requests for the same resource. Common values:

• 86400 - 24 hours (recommended for production)
• 3600 - 1 hour (good for development)
• -1 - Disables caching (useful for debugging)

Access-Control-Expose-Headers

By default, browsers only expose a limited set of response headers to JavaScript. This header allows you to expose additional headers like:

• X-Total-Count - For pagination information
• X-RateLimit-Remaining - For rate limit status
• ETag - For caching

Request Headers (Browser to Server)

Origin

Automatically added by the browser, indicates the origin of the requesting site. Cannot be modified by JavaScript for security reasons.

Access-Control-Request-Method

Sent in preflight requests to indicate which HTTP method will be used in the actual request.

Access-Control-Request-Headers

Sent in preflight requests to indicate which headers will be used in the actual request.