CORS Header Debugger

Debug CORS errors, test preflight behavior, validate headers, and generate server snippets for Express, Flask, Nginx, Apache, and Workers.

Browser-BasedResponsive UIPrivacy-First
Privacy: The CORS simulation runs locally in your browser. Origins, headers, and policy drafts are not uploaded.

Quick presets

Load a realistic frontend-to-API scenario, then adjust the request or server policy until the browser outcome makes sense.

Click any preset to load it

Request Simulation

The browser Origin header sent by the frontend app.

Comma-separated headers the browser wants to send. Leave blank for a simple request.

The browser is currently treating this as a preflighted request.

Server Policy

Used when the server is configured for a specific origin. Ignored for wildcard mode.

Response behavior

Fine-tune the two server rules browsers complain about most during CORS debugging.

Live Fetch Probe

This runs a real browser fetch from the current page origin using the request mode you choose below. It helps confirm whether the browser blocks the call in practice.

The live probe is optional. Use it when you want to test a real endpoint from the browser instead of only simulating the header logic.

No probe run yet. Add a backend URL and choose Run Probe when you want to test a real endpoint.

Browser outcome

Request Allowed

The browser can complete the request and expose the response to frontend JavaScript.

PreflightedOPTIONS readyNo credentials

Validation Findings

OK
Browser allows this configuration

No blocking CORS mismatch was detected for the current request and response combination.

Request Timeline

Expected Response Headers

Access-Control-Allow-Origin: https://client.example.com

Server Snippet

Express / Node
app.use(cors({ origin: 'https://client.example.com' }));

How it works

How this CORS debugger works

Enter a request origin, method, headers, and your server CORS policy to see whether the browser treats the request as simple, preflighted, or blocked. The debugger shows the exact Access-Control-Allow-* headers your server should return and explains the browser outcome in plain English.

Common mistakes like wildcard origins with credentials, missing Vary: Origin, and method mismatches between preflight and response are caught instantly. Generate ready-to-use server snippets for Express, Flask, Nginx, Apache, and Cloudflare Workers. Everything runs locally in your browser with zero data uploads.