The Problem
Every web developer has hit this:
Access to fetch at 'https://api.example.com' from origin 'http://localhost:3000' has been blocked by CORS policy
You Google "CORS checker" and find tools that just check if Access-Control-Allow-Origin: * exists. That's not enough.
Real CORS issues involve:
- Preflight requests (OPTIONS) that fail silently
-
Credentials mode conflicts (
credentials: true+ wildcard origin = browser blocks it) - Missing allowed methods (your POST works but PUT doesn't)
- Max-age misconfiguration (preflight cache causing stale results)
What I Built
CORS Checker — a free tool that:
- Sends an actual OPTIONS preflight request with your test origin
- Sends a GET request with the Origin header
- Merges and analyzes ALL CORS headers from both responses
- Flags security issues (like credentials + wildcard)
Example: Testing GitHub's API
Paste https://api.github.com and you'll see:
-
Access-Control-Allow-Origin: *(allows all origins) Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE-
Access-Control-Max-Age: 86400(24h preflight cache) - Full list of allowed and exposed headers
How It Works
The API route sends two requests to the target URL:
// 1. OPTIONS preflight
const preflight = await fetch(targetUrl, {
method: 'OPTIONS',
headers: {
Origin: testOrigin,
'Access-Control-Request-Method': 'GET',
'Access-Control-Request-Headers': 'Content-Type',
},
});
// 2. GET with Origin
const getReq = await fetch(targetUrl, {
method: 'GET',
headers: { Origin: testOrigin },
});
This can't be done client-side (browsers block cross-origin requests to arbitrary URLs). The server-side proxy is what makes this tool actually useful vs asking ChatGPT.
Try It
corschecker.vercel.app — free, no signup, instant results.
Test your API endpoints before deploying. Test third-party APIs before integrating. Save yourself 30 minutes of CORS debugging.
Part of the DevTools Hub collection — 35+ free developer tools.
Top comments (0)