Cross-Origin Resource Sharing Debugger

CORS Tester

Check if CORS policies are correctly configured.

Origin (Your Website) Note: browsers send only protocols, hostnames, and ports as the origin. Paths are not included.

Target URL

HTTP Method Note: Browsers do preflight (OPTIONS) requests for non-simple requests (e.g., POST with custom headers).

Check credentials allowed (cookies, HTTP authentication)

Origin Match: N/A

Response Details

Status Code: N/A Access-Control-Allow-Origin: N/A

Purpose: Specifies which origins are permitted to access the resource.
Format: A URL or "*" as a wildcard.
Missing: Indicates that cross-origin access might be blocked.

Access-Control-Allow-Methods: N/A

Purpose: Lists the HTTP methods allowed when accessing the resource.
Format: Comma-separated values (e.g., GET, POST).
Missing: May default to a limited set of methods.

Access-Control-Allow-Headers: N/A

Purpose: Specifies the HTTP headers that can be used during the actual request.
Format: Comma-separated header names.
Missing: The client may not be able to send custom headers.

Access-Control-Allow-Credentials: N/A

Purpose: Indicates whether credentials such as cookies or HTTP authentication are allowed.
Format: A boolean value ("true" or "false").
Missing: Authentication details will not be included in cross-origin requests.

Access-Control-Expose-Headers: N/A

Purpose: Indicates which headers can be exposed as part of the response.
Format: Comma-separated header names.
Missing: Only a few safe headers are available to the client.

Access-Control-Max-Age: N/A

Purpose: Defines the time, in seconds, that the results of a preflight request can be cached.
Format: A numeric value in seconds.
Missing: Preflight requests will occur more frequently.

Access-Control-Request-Method: N/A

Purpose: Indicates which HTTP method will be used in the actual request.
Format: A single HTTP method (e.g., GET, POST).
Missing: The preflight may not specify an intended method.

Access-Control-Request-Headers: N/A

Purpose: Lists which headers will be sent with the actual request.
Format: Comma-separated header names.
Missing: Specific header information might be omitted from the preflight.

Vary: N/A

Purpose: Informs caches about which request headers were used for content negotiation.
Format: A list of header names or patterns.
Missing: Caching policies may fall back to default behavior.

Origin: N/A

Purpose: Reflects the origin of the request as seen by the server.
Format: A URL indicating the origin.
Missing: Could suggest an issue with how the header is processed.

Timing-Allow-Origin: N/A

Purpose: Specifies which origins can access timing information for performance metrics.
Format: A URL or "*" wildcard.
Missing: Timing details may remain restricted to the same-origin.

Needs more information about CORS?

Read our blog post How to Fix Security Error: Blocked by CORS Policy.

Found a issue? Have a suggestion?

Please contact us with your feedback.

Our blog

View all posts »

Guides, Product Updates, and Helpful Tips

JavaScript Async Await Guide (2025)

Understand JavaScript's async/await pattern to write cleaner asynchronous code. Learn the syntax, best practices, error handling, and real-world implementation examples for modern web development.

How to fix: Uncaught TypeError: object is not a function

Troubleshoot and resolve JavaScript's 'Uncaught TypeError: object is not a function' error. Discover why it occurs, identify common pitfalls, and implement proven solutions for proper function handling.

How to fix: TypeError: Cannot read property 'x' of undefined

Troubleshoot and resolve the common TypeError: Cannot read property 'x' of undefined in JavaScript. Understand object initialization, property access, and implement effective solutions.

How to fix: SecurityError: Blocked by CORS Policy

Cross Origin Resource Sharing error typically arises when a web application attempts to make a request to a different domain than the one that served the web page, violating the browser's Same-Origin Policy.