---
title: CORS Tester — Check CORS & Security Headers Online
url: https://varstatt.com/toolkit/cors
description: Check CORS headers and security headers for any URL. See Access-Control headers, X-Frame-Options, HSTS, CSP, and more.
section: Developer Toolkit (https://varstatt.com/toolkit)
tags: network
related: CORS (https://varstatt.com/toolkit/cors), SSL (https://varstatt.com/toolkit/ssl), HTTP (https://varstatt.com/toolkit/http)
---
# CORS Tester

Check CORS headers and security headers for any URL. See Access-Control headers, X-Frame-Options, HSTS, CSP, and more.

## How It Works

1. **Enter a URL** — Type or paste any URL. The tool sends both a GET and an OPTIONS preflight request from the server.
2. **Check CORS headers** — See which Access-Control headers are present and their values — origin, methods, headers, credentials, and max-age.
3. **Review security headers** — The tool also checks common security headers like X-Frame-Options, HSTS, CSP, and X-Content-Type-Options.

## FAQ

### Why can't I test CORS from the browser?

Browsers enforce CORS by blocking the response, so you can't read the headers from JavaScript. This tool makes the request server-side and returns the raw headers.

### What does Access-Control-Allow-Origin: * mean?

It means any origin can make cross-origin requests to that URL. This is permissive — fine for public APIs, but not recommended for endpoints that use cookies or authentication.

### What's a preflight request?

An OPTIONS request the browser sends before certain cross-origin requests (e.g. with custom headers or non-simple methods). The server must respond with appropriate CORS headers to allow the actual request.

### Does this check my localhost?

No. The server-side request can't reach your local machine. Use it for publicly accessible URLs. For checking SSL certificates, try the [SSL checker](https://varstatt.com/toolkit/ssl-checker).

## Usage

This tool runs entirely in the browser — visit the URL above to use it.

Prefill inputs via URL parameters:

- `https://varstatt.com/toolkit/cors?url=...`

## Related Tools

- [CORS](https://varstatt.com/toolkit/cors)
- [SSL](https://varstatt.com/toolkit/ssl)
- [HTTP](https://varstatt.com/toolkit/http)