CORS preflight checker
Related tools
Validators and utilities that complement CORS preflight checker — same session, no sign-up.
Ctrl+Enter (or ⌘+Enter) to analyze.
Paste OPTIONS response headers plus Origin and method: checks Allow-Origin, credentials, methods, headers, Max-Age. Heuristic only — confirm in browser.
Paste OPTIONS response headers from DevTools (or a proxy). Add the browser Origin and method you intend to use. This is a static checklist, not a live browser preflight.
How to use this tool
- Paste your sample in the input (or fetch from URL if this tool supports it).
- Run the main action on the page to execute CORS preflight checker.
- Read the result, fix the source data or config, and re-run if needed.
What this check helps you catch
- Paste OPTIONS response headers plus Origin and method: checks Allow-Origin, credentials, methods, headers, Max-Age. Heuristic only — confirm in browser.
- Limits called out in the description (what this tool does not verify — e.g. live network reachability, issuer databases, or strict schema contracts unless stated).
- Structural or syntax mistakes that would break parsers, serializers, or the next step in your workflow.
FAQ
- What does CORS preflight checker do?
- Paste OPTIONS response headers plus Origin and method: checks Allow-Origin, credentials, methods, headers, Max-Age. Heuristic only — confirm in browser. Use the form above, then see “How to use” and “What this check helps you catch” for behavior detail.
- Is this a substitute for server-side validation?
- No. Use it for manual checks and triage; production systems should still validate and authorize on the server.
- Where does processing happen?
- Most validators here run in your browser. If a tool calls an API, that is stated on the page. See the site privacy policy for data handling.
The CORS Preflight Checker helps you review whether an API endpoint responds correctly to an OPTIONS preflight request. It is useful when a browser blocks cross-origin requests and you need to verify headers such as Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Credentials. Developers, API teams, frontend engineers, and security reviewers use this kind of check to diagnose why a request works in tools like cURL or Postman but fails in the browser. By comparing the requested Origin and method against the server’s response, you can identify configuration issues before they affect production users.
How This Validator Works
This checker evaluates the preflight exchange that browsers use before sending certain cross-origin requests. A browser sends an OPTIONS request with headers such as Origin, Access-Control-Request-Method, and sometimes Access-Control-Request-Headers. The server should reply with matching CORS headers that explicitly permit the origin, method, and any requested headers when appropriate.
- Checks whether the response includes Access-Control-Allow-Origin.
- Verifies whether the allowed origin matches the requesting Origin or uses a valid wildcard pattern where permitted.
- Reviews Access-Control-Allow-Methods for the requested HTTP method.
- Confirms whether Access-Control-Allow-Credentials is compatible with the origin policy.
- Helps identify missing or inconsistent preflight headers that can block browser requests.
Common Validation Errors
CORS failures often come from small mismatches between the browser request and the server response. These issues can be hard to spot because the endpoint may still work outside the browser.
- Missing Access-Control-Allow-Origin — the server does not explicitly allow the requesting origin.
- Wildcard with credentials —
*cannot be used with credentialed requests in standard CORS behavior. - Method not allowed — the requested method is absent from Access-Control-Allow-Methods.
- Header mismatch — requested headers are not listed in Access-Control-Allow-Headers.
- Preflight not handled — the endpoint does not respond properly to OPTIONS requests.
- Origin mismatch — the server returns a different origin than the one sent by the browser.
Where This Validator Is Commonly Used
CORS preflight checks are commonly used anywhere browser-based applications call APIs across domains. They are especially helpful during frontend integration, API gateway configuration, and deployment troubleshooting.
- Single-page applications calling REST or GraphQL APIs
- Microservice and API gateway environments
- Staging and production release validation
- Third-party integrations and partner APIs
- Security reviews for cross-origin request policies
- Debugging browser-only failures in modern web apps
Why Validation Matters
Correct CORS configuration is important because browsers enforce cross-origin rules to protect users and applications. A valid preflight response helps legitimate frontend code communicate with APIs without exposing unnecessary access. Validation also reduces support issues by catching misconfigurations early, before they become production incidents. For teams managing public APIs, internal dashboards, or authenticated web apps, consistent CORS behavior is part of reliable and predictable delivery.
Technical Details
CORS preflight behavior is defined by browser security models and standardized HTTP header conventions. The validator focuses on the relationship between the request and response rather than on application logic.
- HTTP method: preflight requests use OPTIONS.
- Request origin: sent in the Origin header.
- Requested method: sent in Access-Control-Request-Method.
- Requested headers: may be listed in Access-Control-Request-Headers.
- Response headers: commonly include Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, and Access-Control-Max-Age.
- Validation focus: compatibility between the browser’s request and the server’s policy.
| Header | Purpose |
|---|---|
| Access-Control-Allow-Origin | Indicates which origin may access the resource |
| Access-Control-Allow-Methods | Lists permitted HTTP methods |
| Access-Control-Allow-Headers | Lists permitted request headers |
| Access-Control-Allow-Credentials | Indicates whether credentials are allowed |
| Access-Control-Max-Age | Controls how long the preflight result may be cached |
FAQ
What is a CORS preflight request?
A CORS preflight request is an OPTIONS request that a browser sends before certain cross-origin requests. It asks the server whether the actual request is allowed. The server’s response should include the correct CORS headers so the browser can decide whether to continue.
Why does my API work in Postman but fail in the browser?
Tools like Postman and cURL do not enforce browser CORS rules. A request can succeed there even if the server is missing the headers required by browsers. This checker helps you confirm whether the API response is compatible with browser-based cross-origin access.
Can I use a wildcard origin with credentials?
In standard CORS behavior, a wildcard * is not compatible with credentialed requests. If cookies, HTTP authentication, or client certificates are involved, the server usually needs to return a specific allowed origin instead of a wildcard.
What causes a preflight request to happen?
Browsers send preflight requests when a cross-origin request uses non-simple methods, custom headers, or certain content types. The preflight lets the browser verify the server’s policy before sending the real request.
Does this checker test server security?
This checker reviews CORS header behavior, not overall application security. It can help identify misconfigurations that affect browser access, but it does not prove that an API is secure, authenticated, or protected against abuse.
What is the difference between Access-Control-Allow-Origin and Access-Control-Allow-Methods?
Access-Control-Allow-Origin tells the browser which origin may access the resource. Access-Control-Allow-Methods lists the HTTP methods that are permitted. Both must align with the browser’s request for the preflight to succeed.
Why is Access-Control-Allow-Headers important?
If the browser plans to send custom headers, the server must explicitly allow them in Access-Control-Allow-Headers. If the requested headers are missing from the response, the browser may block the actual request even if the origin and method are allowed.
What does Access-Control-Max-Age do?
Access-Control-Max-Age tells the browser how long it may cache the preflight result. A longer cache can reduce repeated OPTIONS requests, but the value should be chosen carefully so policy changes are reflected in a reasonable time.
Can CORS be used to protect an API?
CORS is a browser-enforced access control mechanism, not a substitute for authentication or authorization. It helps control which web origins can make browser-based requests, but it does not replace tokens, session checks, rate limiting, or server-side access controls.
Related Validators & Checkers
- HTTP Header Checker — review response headers for API and web behavior
- URL Validator — verify endpoint formatting and structure
- JSON Validator — check API payload syntax and structure
- API Response Validator — inspect response shape and status behavior
- Security Headers Checker — review browser security-related headers