CORS Headers Checker

Simulate browser CORS evaluation from request and response headers, including preflight detection.

Input data is processed in your browser
Data is never sent to a server

Tool

Enter request and response details to simulate how a browser evaluates CORS.

Request (Browser → Server)

One header per line (Header-Name: value)

Response (Server → Browser)

Request would be allowed

Origin match

Access-Control-Allow-Origin is '*', allowing all origins

Credentials

Credentials are not used (not applicable)

Method allowed

Simple method, no preflight required

Custom headers allowed

No custom headers are sent

CORS basics

What is a "simple request"?

Requests using GET/HEAD/POST with Content-Type of text/plain, multipart/form-data, or application/x-www-form-urlencoded, and no custom headers, skip the preflight step.

What is a preflight request?

Requests that don't meet the above conditions (PUT/DELETE, application/json, Authorization headers, etc.) trigger an automatic OPTIONS request from the browser before the actual request, to confirm server permission.

What is CORS Headers Checker?

This tool simulates whether your CORS configuration is correct without actually sending a request to a server.

When you get a CORS error calling an API from your frontend, this tool helps you quickly pinpoint which header setting is causing the problem. It checks four aspects — Origin, credentials, allowed methods, and allowed headers — and automatically determines whether a preflight request is required.

How to Use

  1. Enter the request details on the left (Origin, method, custom headers, and whether credentials are included).
  2. Enter the response headers your server returns on the right (Access-Control-Allow-*).
  3. Use the "Load success example" or "Load failure example" buttons to see typical cases.
  4. The result is shown as OK/NG, along with a detailed breakdown for each check (Origin match, credentials, method, headers).
  5. Whether the request requires a preflight (OPTIONS) request is also detected automatically.

FAQ

What is a preflight request?

When a request doesn't meet the conditions for a "simple request" — for example, using a method other than GET/HEAD/POST, a Content-Type like application/json, or custom headers — the browser automatically sends an OPTIONS request first to confirm the server allows it before sending the actual request.

What happens if Access-Control-Allow-Origin is set to "*"?

It allows access from any Origin, but "*" cannot be used for requests that include credentials (cookies or auth headers) — a specific Origin must be specified instead.

Does this tool make actual network requests?

No. It only simulates the browser's CORS behavior based on the values you enter and never makes any external requests.

Is the result 100% accurate?

The tool simulates the main CORS rules (Origin match, credentials, allowed methods, allowed headers), but actual browser implementations and edge cases may differ. Please do a final check in an actual browser.