CORS Tester

Check CORS headers and security headers for any URL. See if cross-origin requests are allowed and which origins, methods, and headers are permitted.

How It Works

1

Enter a URL

Type or paste any URL. The tool sends both a GET and an OPTIONS preflight request from the server.

2

Check CORS headers

See which Access-Control headers are present and their values — origin, methods, headers, credentials, and max-age.

3

Review security headers

The tool also checks common security headers like X-Frame-Options, HSTS, CSP, and X-Content-Type-Options.

FAQ

Browsers enforce CORS by blocking the response, so you can't read the headers from JavaScript. This tool makes the request server-side and returns the raw headers.
It means any origin can make cross-origin requests to that URL. This is permissive — fine for public APIs, but not recommended for endpoints that use cookies or authentication.
An OPTIONS request the browser sends before certain cross-origin requests (e.g. with custom headers or non-simple methods). The server must respond with appropriate CORS headers to allow the actual request.
No. The server-side request can't reach your local machine. Use it for publicly accessible URLs. For checking SSL certificates, try the SSL checker.

Varstatt Toolkit

Each tool works standalone, runs entirely in your browser, and requires no signup.

JSON FormatterYAML ValidatorJSON ↔ YAMLRegex TesterUUID GeneratorHash GeneratorPassword GeneratorCrontab GeneratorTimestamp ConverterBase64 EncoderJWT DecoderImage to Base64Encrypt / DecryptColor ConverterCSV EditorMarkdown PreviewText DiffHTML ↔ MarkdownMarkdown to PDFMarkdown to DOCXQR Code GeneratorBarcode GeneratorMesh GradientCSS Cover ArtImage ConverterText to GradientFavicon GeneratorAspect Ratio CalculatorSVG OptimizerImage PlaceholderDNS LookupOG Tag ValidatorUser Agent ParserHTTP Status CodesRobots.txt ValidatorSitemap ValidatorCORS TesterSSL CheckerCase ConverterWord CounterSlug GeneratorCopy Paste Characters

Built & Maintained by Varstatt

Varstatt is a one-person product studio run by Jurij Tokarski, product engineer since 2011. These tools are free and open — no signup, no catch.