CORS Policy Tester
Test any URL's CORS policy by sending a real request with your chosen Origin header. See Access-Control-Allow-Origin, preflight response headers, and a plain-English verdict on whether cross-origin access is permitted.
Show all response headers ▸
Show all preflight response headers ▸
CORS Header Reference ▸
| Header | Purpose |
|---|---|
| Access-Control-Allow-Origin | Which origins may access the resource. * = any; specific origin = restricted. |
| Access-Control-Allow-Methods | HTTP methods the server allows for cross-origin requests (preflight only). |
| Access-Control-Allow-Headers | Request headers the server permits in cross-origin requests (preflight only). |
| Access-Control-Allow-Credentials | Whether cookies and auth headers can be sent. Must be "true" for credentialed requests. |
| Access-Control-Max-Age | How long (seconds) the browser may cache a preflight response. |
| Access-Control-Expose-Headers | Which response headers the browser script may read (default: only safe headers). |
| Vary: Origin | Tells CDNs to cache separate responses per Origin value — required for correct caching with CORS. |
Disclaimer: Free tool provided “as is” by MonitorGiant. No warranty or liability for any data loss, security issues, or infrastructure problems arising from use of this tool. Results are for informational purposes only. · A Free Tool by MonitorGiant
What is CORS Policy Tester?
CORS (Cross-Origin Resource Sharing) is the browser security mechanism that controls which origins (domains) can make JavaScript requests to an API or resource on a different domain. When your frontend at app.example.com tries to fetch data from api.other.com, the browser first checks the CORS headers — if the server doesn't explicitly allow your origin, the request is blocked. This tool sends a real request from an edge server with your chosen Origin header and shows you exactly what headers the target returns.
How to use this tool
- 1 Enter the target URL — the API endpoint or resource you want to test, e.g. https://api.example.com/v1/data.
- 2 Enter the Origin you want to test with — this should be your frontend's domain, e.g. https://yourapp.com.
- 3 Select the HTTP method. Non-simple methods (PUT, PATCH, DELETE) trigger a preflight OPTIONS request from browsers.
- 4 Click 'Test CORS Policy'. The tool sends both a simple request and a preflight OPTIONS request from a server edge, and shows the CORS response headers from each.
- 5 Read the verdict banner — green means your origin is explicitly allowed, yellow means wildcard (all origins), red means CORS is blocking cross-origin access.
When would you use this?
- Debugging a CORS error in your browser's developer console — verify what headers the server actually returns rather than guessing.
- Before integrating a third-party API into a frontend — confirm the API supports CORS for your domain before writing code.
- Configuring your own API's CORS policy — test that your server correctly reflects the right origin in responses and handles preflight requests.
How works
- 1
Enter the target URL and origin
The URL is the API endpoint you want to test. The origin is your frontend's domain — what a browser would send as the Origin header.
- 2
Run the test
Requests are made from a Netlify edge server, bypassing browser CORS restrictions so you can see the raw server response. Both a simple request and a preflight OPTIONS request are sent.
- 3
Read the CORS headers
Switch between the Simple Request and Preflight tabs. Green "allowed" means your origin is permitted. The header reference at the bottom explains what each CORS header does.
Requests are proxied through a Netlify edge function to bypass browser CORS restrictions. The target URL and origin you enter are used only to make the CORS test request — they are not stored.
Comments & Feedback
Found a bug? Have a suggestion? We'd love to hear from you.
Related Tools
From the makers of this tool
Need deeper observability?
MonitorGiant tracks real-time AI performance, infrastructure health, and system reliability — far beyond what free utilities can show.