Last updated
CORS Tester Examples
The CORS Tester checks whether a URL correctly implements CORS headers for a given origin. Below are examples of test results for common CORS configurations and issues.
Successful CORS Test — Public API
Test input:
URL: https://api.example.com/data
Origin: https://myapp.com
Method: GETResponse headers received:
Access-Control-Allow-Origin: *
Content-Type: application/json
Vary: Accept-EncodingResult:
✓ CORS ALLOWED
Access-Control-Allow-Origin: * (all origins permitted)
Method GET is allowed
No credentials required — wildcard origin is validSuccessful CORS Test — Authenticated API
Test input:
URL: https://api.example.com/user/profile
Origin: https://app.example.com
Method: GET
Include Credentials: trueResponse headers:
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, AuthorizationResult:
✓ CORS ALLOWED
Origin https://app.example.com explicitly allowed
Credentials: allowed
Methods: GET, POST, PUT, DELETE
Headers: Content-Type, AuthorizationFailed Test — Origin Not Allowed
Test input:
URL: https://api.example.com/data
Origin: https://otherdomain.comResponse headers:
Access-Control-Allow-Origin: https://app.example.comResult:
✗ CORS BLOCKED
Requested origin: https://otherdomain.com
Allowed origin: https://app.example.com
The origins do not match. The browser will block this response.
Fix: Add https://otherdomain.com to your allowed origins list.Failed Test — Missing Credentials Header
Test input:
URL: https://api.example.com/secure
Origin: https://app.example.com
Include Credentials: trueResponse headers:
Access-Control-Allow-Origin: https://app.example.comResult:
✗ CORS BLOCKED (credentials)
Access-Control-Allow-Credentials header is missing.
When credentials (cookies, Authorization headers) are included,
the server must respond with:
Access-Control-Allow-Credentials: true
Fix: Add this header to your server's CORS configuration.Failed Test — Wildcard with Credentials
Response headers:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: trueResult:
✗ INVALID CONFIGURATION
Access-Control-Allow-Origin: * cannot be combined with
Access-Control-Allow-Credentials: true.
Browsers reject this combination for security reasons.
Fix: Replace * with the specific allowed origin, e.g.:
Access-Control-Allow-Origin: https://app.example.comPreflight Test — OPTIONS Request
Test input:
URL: https://api.example.com/users
Origin: https://app.example.com
Method: DELETE
Headers: Authorization, Content-TypePreflight response:
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Methods: GET, POST, PUT, DELETE, OPTIONS
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 86400Result:
✓ PREFLIGHT PASSED
Method DELETE: allowed
Header Authorization: allowed
Header Content-Type: allowed
Preflight cached for: 86400 seconds (24 hours)HTTP vs HTTPS Origin Mismatch
Allowed origin: https://app.example.com
Request origin: http://app.example.com
✗ CORS BLOCKED — protocol mismatch
https:// and http:// are treated as different origins.
Fix: Ensure your application uses HTTPS, or add the HTTP
origin to your allowed origins list.Common CORS Issues Detected
- Origin not in the allowed list
- Missing Access-Control-Allow-Credentials for authenticated requests
- Wildcard origin combined with credentials (invalid)
- Required request header not listed in Access-Control-Allow-Headers
- HTTP vs HTTPS protocol mismatch in origin
- www vs non-www subdomain mismatch
- Server not handling OPTIONS preflight requests
- Missing Vary: Origin header when using dynamic origin matching
Enter any URL and origin to instantly diagnose CORS issues with specific recommendations for fixing each problem found.