CORS Headers Debugger

Paste request and response headers to diagnose CORS issues. Get plain-English explanations and exact fixes.

What is CORS?

Cross-Origin Resource Sharing (CORS) is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page. When your frontend (e.g., https://app.example.com) calls an API at a different origin (e.g., https://api.example.com), the browser enforces CORS rules.

CORS errors are among the most common and frustrating issues in web development. They only happen in browsers — tools like curl and Postman bypass CORS entirely. The fix always involves configuring the correct response headers on the server.

How to Debug CORS

Open DevTools — In Chrome/Firefox, open the Network tab and find the failing request.

Copy request headers — Look for the Origin and Access-Control-Request-* headers in the request.

Copy response headers — Look for Access-Control-Allow-* headers in the response.

Paste here — Paste both sets of headers into this tool to get a diagnosis.

Common CORS Mistakes

Origin mismatch — Access-Control-Allow-Origin doesn't exactly match the request's Origin header.

Wildcard with credentials — Using * as Allow-Origin with credentials: true is not allowed.

Missing preflight headers — POST/PUT requests with custom headers require a preflight OPTIONS response with correct Allow-Methods and Allow-Headers.

Missing Vary: Origin — Without this, CDNs may cache the wrong CORS response for different origins.

Frequently Asked Questions

Why does CORS work in Postman but not in the browser?

CORS is enforced only by browsers, not by HTTP clients like Postman or curl. Browsers send an Origin header and check the server's CORS response headers before sharing the response with your JavaScript code. Postman doesn't implement this restriction.

What is a preflight request?

A preflight is an OPTIONS request that the browser automatically sends before certain cross-origin requests. It asks the server "can I make this request?" and the server must respond with the appropriate Access-Control-Allow-* headers. Preflights are triggered by non-simple methods (PUT, DELETE, PATCH) or custom headers.

Is it safe to use Access-Control-Allow-Origin: *?

It depends. For public APIs with no authentication, * is fine. For APIs that use cookies, sessions, or Authorization headers, you must specify the exact origin instead of * — and set Access-Control-Allow-Credentials: true. Using * with credentials is not allowed by the browser.