CORS Tester

Check CORS headers and security headers for any URL. See Access-Control headers, X-Frame-Options, HSTS, CSP, and more.

How It Works

1

Enter a URL

Type or paste any URL. The tool sends both a GET and an OPTIONS preflight request from the server.

2

Check CORS headers

See which Access-Control headers are present and their values — origin, methods, headers, credentials, and max-age.

3

Review security headers

The tool also checks common security headers like X-Frame-Options, HSTS, CSP, and X-Content-Type-Options.

FAQ

Browsers enforce CORS by blocking the response, so you can't read the headers from JavaScript. This tool makes the request server-side and returns the raw headers.
It means any origin can make cross-origin requests to that URL. This is permissive — fine for public APIs, but not recommended for endpoints that use cookies or authentication.
An OPTIONS request the browser sends before certain cross-origin requests (e.g. with custom headers or non-simple methods). The server must respond with appropriate CORS headers to allow the actual request.
No. The server-side request can't reach your local machine. Use it for publicly accessible URLs. For checking SSL certificates, try the SSL checker.

Built & Maintained by Varstatt

Varstatt is a one-person product studio run by Jurij Tokarski, product engineer since 2011. These tools are free and open — no signup, no catch.