About CORS Header Tester

Analyze CORS response headers for misconfigurations and security issues. Part of the DevTools Surf developer suite. Browse more tools in the Networking collection.

Use Cases

• Debug cross-origin API errors during frontend development
• Audit CORS headers for security review compliance
• Verify preflight response configuration for PUT/DELETE methods
• Test CORS setup before connecting a new frontend domain

Tips

• Paste response headers to check for wildcard origin risks
• Verify Access-Control-Allow-Methods covers your API methods
• Detect missing Access-Control-Allow-Credentials misconfigurations

Fun Facts

• CORS (Cross-Origin Resource Sharing) was first proposed in 2004 and standardized as a W3C Recommendation in January 2014.
• The CORS preflight OPTIONS request was designed to protect legacy servers that never expected cross-origin requests from browsers.
• Setting Access-Control-Allow-Origin to '*' with credentials is forbidden by the spec — browsers silently reject such responses.

FAQ

What does it analyze?

The Access-Control-* headers on a response. Detects misconfigurations: wildcards + credentials (forbidden), missing Vary: Origin (caching bug), overly permissive allow-origin.

Can I test live URLs?

Paste headers you've collected via browser DevTools or curl. The tool doesn't make HTTP requests itself — that would need a CORS proxy.

What are the most common bugs?

Allow-Origin: * with Allow-Credentials: true (blocked by browser). Forgetting Vary: Origin (wrong cached response). Missing Access-Control-Max-Age (slow preflights).

Is CORS different from CSRF?

Yes — CORS relaxes the same-origin policy for explicit opt-in. CSRF is an attack where malicious sites trigger actions on authenticated sessions. Different layers of web security.