Debug CORS preflight requests
Simulate browser CORS and preflight checks locally to understand which response header is blocking a frontend API request.
Open the tool, then paste the sample input below. Everything runs locally in your browser.
The problem
CORS failures often look like generic browser errors. The useful detail is in the request method, custom headers, credentials mode, and the server CORS response headers.
Sample input
Origin: https://app.example.com
Method: PUT
Request headers: Authorization, Content-Type
Response Access-Control-Allow-Origin: https://app.example.comExpected output
Check Access-Control-Allow-Methods includes PUT
Check Access-Control-Allow-Headers includes Authorization and Content-TypeHow to do it
- Enter the requesting origin.
- Choose the HTTP method.
- Add custom request headers.
- Paste the server CORS response headers.
- Review which browser check fails.
Common mistakes
- Adding CORS headers to the frontend instead of the API response.
- Forgetting OPTIONS handling on the server.
- Using wildcard origins with credentialed requests.
- Missing Access-Control-Allow-Headers for Authorization.
Related tools
FAQ
Why does cURL work but the browser fails?
cURL does not enforce CORS. Browsers enforce CORS using response headers from the API.
What triggers a preflight request?
Non-simple methods, custom headers, and some content types cause the browser to send an OPTIONS preflight.
Does this call my API?
No. It simulates the browser checks from the values you enter.
Is my data uploaded anywhere?
No. This workflow runs locally in your browser unless you explicitly copy or share the result yourself.
This guide uses browser-local tooling. Avoid pasting production secrets unless you understand what the tool displays and shares.
Continue with adjacent browser-based tools for the same workflow.