CORS Checklist
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
CORS Checklist
- Access-Control-Allow-Origin returns the expected origin
- Allow-Origin is not * when credentials are used
- Access-Control-Allow-Methods includes required methods
- Access-Control-Allow-Headers includes required headers
- Access-Control-Allow-Credentials is set correctly
- Access-Control-Expose-Headers includes needed headers
- Preflight (OPTIONS) returns 2xx
- No unnecessary redirects on preflight
- Vary: Origin is set when needed
- Cache-Control handles CORS responses appropriately
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Check items from top to bottom and compare with real response headers. Identify mismatches first, then move to specific diagnostic tools.
Notes (this tool)
- This page is a checklist. Use HTTP Header Parser to inspect actual headers.
- Behavior can differ between preflight (OPTIONS) and actual requests. Check both header sets.
About this page
What does this tool do?
A checklist for verifying CORS (Cross-Origin Resource Sharing) settings.
Covers Access-Control-* headers and preflight requirements.
CORS is a browser security policy. If server allow-headers are wrong, fetch/XHR requests fail.
CORS basics (quick)
- Requests to a different origin are cross-origin.
- Servers express permissions via Access-Control-Allow-Origin and related response headers.
- Depending on conditions, a preflight (OPTIONS) request happens.
Common situations
- Front-end (https://app.example) → API (https://api.example) fails
- Fails when sending cookies (credentials)
- Preflight fails when adding Authorization header
Typical patterns (header combinations)
- Simple GET without cookies: Allow-Origin is enough (* is OK)
- With credentials: Allow-Origin must be explicit and Allow-Credentials: true
- With preflight: align Allow-Methods/Allow-Headers
Common error examples
- No 'Access-Control-Allow-Origin' header is present...
- The value of 'Access-Control-Allow-Origin' must not be '*' when credentials are included...
- Request header field Authorization is not allowed by Access-Control-Allow-Headers...
Debugging steps (recommended)
- Inspect actual response headers (paste into HTTP Header Parser)
- Check the preflight (OPTIONS) response too
- Clarify whether credentials are used and which headers/methods are sent
Checklist (overview)
- Access-Control-Allow-Origin is correct
- No * with credentials
- Allow-Methods / Allow-Headers alignment
- Preflight (OPTIONS) response is valid
Debugging workflow (recommended)
- Paste target security headers
- Check missing and overly permissive policies
- Validate with Report-Only and phased rollout
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- Fetch Standard (CORS)
- RFC 9110 (HTTP Semantics)
- MDN (CORS / Preflight)
FAQ
Is CORS server-side?
Yes. CORS permissions are set by server response headers.
Can Access-Control-Allow-Origin list multiple origins?
No. Servers typically echo back a single Origin or use * (not allowed with credentials).
References
Page-specific case studies
This is an operational checklist to prevent CORS rollout omissions during reviews.
- Confirm origin policy matches product requirements.
- Check whether preflight responses satisfy method and header needs.
- Verify credentials rules for authenticated requests.
Page-specific implementation checklist
- Include this CORS checklist in every release gate.
- Review CORS changes jointly across frontend and API teams.
- Add CORS failure rate to monitoring dashboards.
- Audit checklist deltas when issues recur.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- How to Diagnose CORS Preflight Failures — Fix preflight failures by validating OPTIONS responses, Allow-* directives, and origin rules in order
- How to choose CORS tools — Map preflight failures, origin mismatches, and credential conflicts to the right checks
- Host/Authority/Origin Inspect — Cross-check Host/:authority/Origin/Referer for mismatches
- CORS Error Troubleshooting — Troubleshoot CORS failures by correlating browser errors with request/response headers
- Origin Allowlist Check — Match Origin values against an allowlist
- CORS Diagnostic — Diagnose CORS decisions by comparing Origin and Allow-*
- CORS Response Inspect — Parse Access-Control-Allow-* headers to audit CORS responses
Same-theme links
CORS
Compare Origin and Allow-* headers to audit CORS decisions
- CORS Error Troubleshooting — Troubleshoot CORS failures by correlating browser errors with request/response headers
- CORS Diagnostic — Diagnose CORS decisions by comparing Origin and Allow-*
- CORS Response Inspect — Parse Access-Control-Allow-* headers to audit CORS responses
- Origin Allowlist Check — Match Origin values against an allowlist
- Host/Authority/Origin Inspect — Cross-check Host/:authority/Origin/Referer for mismatches