CORS Diagnostic
Diagnose security headers and policies in your browser. No input is sent to a server. Use it for first-pass checks before rollout.
Status
Runs in your browser. No input is sent to a server. Use this as a first-pass diagnostic step.
How to use
Paste request/response headers and click “Diagnose”. It shows pass/fail and likely causes.
Notes (this tool)
- Decisions can differ when preflight (OPTIONS) and actual requests use different headers, so inspect both.
- With credentialed requests, Allow-Origin=* is invalid. Check it together with Allow-Credentials.
About this page
What does this tool do?
Evaluates Origin and Access-Control-* combinations to diagnose CORS behavior.
Debugging workflow (recommended)
- Paste request/response headers
- Check Summary for likely cause
- Use CORS Response Inspect for details
Recommendations (practical)
- If using credentials, do not use Allow-Origin *
- Add Vary: Origin for dynamic origins
- For preflight, explicitly set Allow-Methods/Allow-Headers
Related tools
- CORS Response Inspect
- CORS Checklist
- Origin Allowlist Check
- Host/Authority/Origin Inspect
What this tool does
- Judge CORS pass/fail at a glance
- Detect common misconfigurations
Operational notes
- Recommended values are environment-dependent. Validate against functional requirements before applying.
- In production, use phased rollout with report monitoring.
Referenced specs
- MDN: CORS
- Fetch Standard
FAQ
When does preflight occur?
It occurs when non-simple methods or specific headers require an OPTIONS preflight check.
Can ACAO=* be used with credentials?
No. Credentialed requests require an explicit allowed origin response.
References
Page-specific case studies
Use this page for full CORS triage by checking origin, preflight, and credentials together.
- Verify Origin matches Access-Control-Allow-Origin on failures.
- Check OPTIONS preflight status and Allow-* headers.
- Ensure wildcard origin is not used with credentials.
Page-specific implementation checklist
- Apply least-privilege CORS policy per API endpoint.
- Log method, headers, and origin for preflight failures.
- Allow only required request headers.
- Revalidate behavior on major browsers after changes.
Next to view (diagnostic order)
These links are generated from site_map rules in recommended diagnostic order.
- CORS Error Troubleshooting — Troubleshoot CORS failures by correlating browser errors with request/response headers
- CORS Response Inspect — Parse Access-Control-Allow-* headers to audit CORS responses
- Origin Allowlist Check — Match Origin values against an allowlist
- How to Diagnose CORS Preflight Failures — Fix preflight failures by validating OPTIONS responses, Allow-* directives, and origin rules in order
- How to choose CORS tools — Map preflight failures, origin mismatches, and credential conflicts to the right checks
- CORS Checklist — Provide a step-by-step CORS verification checklist
- Host/Authority/Origin Inspect — Cross-check Host/:authority/Origin/Referer for mismatches
Same-theme links
CORS
Compare Origin and Allow-* headers to audit CORS decisions
- CORS Error Troubleshooting — Troubleshoot CORS failures by correlating browser errors with request/response headers
- CORS Checklist — Provide a step-by-step CORS verification checklist
- CORS Response Inspect — Parse Access-Control-Allow-* headers to audit CORS responses
- Origin Allowlist Check — Match Origin values against an allowlist
- Host/Authority/Origin Inspect — Cross-check Host/:authority/Origin/Referer for mismatches