CORS Header Checker

CORS (Cross-Origin Resource Sharing) is a security feature built into web browsers. When a page on domain A tries to fetch data from domain B, the browser blocks the request unless domain B explicitly allows it via CORS headers. The server sends Access-Control-Allow-Origin (and related headers) to permit specific origins. Without these headers, JavaScript cannot read the response, and you'll see errors like 'blocked by CORS policy' in the console.

CORS protects users from malicious sites that might try to access their data on other domains. As a developer, you must configure your API or backend to send the correct CORS headers when you want to allow cross-origin access.

Access-Control-Allow-Origin specifies which origins can access the response — either * (any origin) or a specific origin like https://example.com. Access-Control-Allow-Methods lists allowed HTTP methods (GET, POST, etc.). Access-Control-Allow-Headers lists which request headers the server accepts. Access-Control-Max-Age tells the browser how long (in seconds) to cache the preflight result. Access-Control-Allow-Credentials, when true, allows cookies and Authorization headers in cross-origin requests. When credentials are used, Allow-Origin cannot be *.

For Express/Node: use the cors middleware and configure allowed origins. For Nginx: add add_header Access-Control-Allow-Origin. For Apache: use Header set. For API gateways (AWS, Cloudflare): configure CORS in the dashboard. Always ensure your server responds to OPTIONS (preflight) requests with 200 and the CORS headers. Avoid using * for Allow-Origin when using credentials. Test with this tool to verify your configuration.