Inspect the raw headers, audit security headers, or rebuild the request after fixing CORS.
How to use the CORS Debugger / Preflight Simulator
CORS errors are confusing because the browser, not your code, blocks the response. This tool replays the browser's CORS algorithm locally: you describe the cross-origin request and paste the server's CORS response headers, and it tells you whether the preflight (OPTIONS) and the actual request would pass — and exactly which header to change. It never makes a network request, so there is nothing to upload and no origin to probe.
What it does
Determines whether your request is "simple" or needs a preflight.
Checks Access-Control-Allow-Origin against your origin (with the credentials rules).
Checks Allow-Methods and Allow-Headers against your method and headers.
Flags the classic gotchas: wildcard with credentials, and Authorization not covered by *.
When to use it
A fetch/XHR call works in Postman but fails in the browser with a CORS error.
You added an Authorization header and suddenly see a preflight failure.
Cookies aren't sent on a cross-origin request.
You're configuring CORS on an API gateway or server and want to verify the headers.
How to use it
Enter the request origin, method, target URL, and request headers.
Paste the server's Access-Control-* response headers.
Toggle "sends credentials" if cookies/auth are involved, then read the result and fixes.
Tips & pitfalls
With credentials, Access-Control-Allow-Origin must echo the exact origin — a wildcard is rejected.
Access-Control-Allow-Headers: * does not cover Authorization; list it explicitly.
A preflight is cached per Access-Control-Max-Age; changes may appear delayed until it expires.
FAQ
Does this tool make a real cross-origin request? No. Browsers and our privacy model forbid probing arbitrary cross-origin servers from a page. Instead, you paste the request details and the server's CORS response headers, and the tool replays the browser's CORS algorithm locally to tell you the outcome.
Why does my request trigger a preflight? The browser sends an OPTIONS preflight when a request is not simple: it uses a method other than GET, HEAD, or POST; sends a non-simple header such as Authorization or a custom header; or uses a Content-Type other than form or text/plain (for example application/json).
Why can't I use a wildcard with credentials? When a request sends credentials (cookies or Authorization with credentials mode), the response must echo the exact origin in Access-Control-Allow-Origin and set Access-Control-Allow-Credentials to true. A wildcard is rejected by the browser in that case.
