CORS Tester
Will a browser at your origin be able to call this URL? We fire the preflight + the actual request and tell you exactly why it would or wouldn't work.
Custom request headers
Requests are sent server-side so we can see the response headers a real browser would have blocked. We don't send any request body — header inspection only.
FAQ
What does this tool actually do?▼
It fires the requests for you from our server with the Origin header you specify, so you can see exactly which CORS headers come back from the target — and we tell you whether a real browser would let the request through.
Why simulate from a server instead of the browser?▼
If the target site doesn't allow your browser's actual origin, the browser blocks the response and you never see the headers. Simulating server-side lets us read the response and report it.
What's a 'simple' request?▼
GET/HEAD/POST with only Accept, Accept-Language, Content-Language, or simple Content-Type (form-urlencoded, multipart, text/plain). These skip the preflight OPTIONS request — everything else triggers one.
What's the credentials toggle?▼
If your browser code uses fetch(..., {credentials: 'include'}) or XHR.withCredentials = true, the response must include Access-Control-Allow-Credentials: true AND Access-Control-Allow-Origin must echo your origin (not '*'). Toggle this to check.
More Website Tools
Regex Tester
Test JavaScript regular expressions live. Highlighted matches, capture groups, replace preview. Pure browser.
Robots.txt & Sitemap Inspector
Fetch and parse any site's robots.txt, list every sitemap referenced, and peek inside each sitemap.
OG Link Preview
See how any URL will render when shared on Twitter, LinkedIn, Slack, iMessage, and Discord. Catches missing OG tags before you post.