CORS Checker

Test any URL for CORS (Cross-Origin Resource Sharing) headers. The tool sends a preflight OPTIONS request and a regular GET request, then reports which origins, methods, and headers are allowed. Spot misconfigurations and security issues.

Url Required

URL to check for CORS headers

Advanced options

Origin Optional

Origin to send in the preflight request

Get an API key to automate this

Result

Code snippets

What this tool checks

Sends real preflight (OPTIONS) and GET requests
Parses all Access-Control-* headers
Custom origin for testing specific domains
Security analysis and recommendations
Detects wildcard + credentials misconfiguration
Reports allowed methods and headers

Automate this with the API

Run this tool programmatically from your code. Get a free temporary API key with 20 requests/day — or register for 75 requests/day.

                    curl https://apixies.io/api/v1/check-cors?url=... \
  -H "X-API-Key: YOUR_API_KEY"
                

Get Temporary API Key View API Documentation →

Frequently asked questions

What is a CORS preflight request?

Browsers send an OPTIONS request before certain cross-origin requests to check if the server allows them. This is the "preflight" check. The tool simulates this to see how the server responds.

Why is wildcard origin with credentials a problem?

Browsers block requests that use Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true. It's a security risk and a misconfiguration that needs fixing.

What if the server doesn't respond to OPTIONS?

Some servers don't handle preflight requests. The tool also checks the regular GET response for CORS headers and reports what it finds either way.

Related tools

Free SSL Certificate Checker

Enter a domain to inspect its SSL/TLS certificate. You'll see the issuer, validity dates, days until expiry, protocol version, and whether the certificate chain is healthy. Useful for catching expiring certificates before they cause browser warnings.

Security Headers Checker

Paste a URL to analyze its HTTP security headers. The tool checks for Content-Security-Policy, Strict-Transport-Security, X-Frame-Options, and other headers that protect against common web attacks. You'll get a grade and a list of missing protections.

Free Email Validator

Enter an email address to validate it. The tool checks format syntax, resolves MX records to verify the domain accepts mail, detects disposable email services (like Mailinator), and flags role-based addresses (like info@ or admin@). Useful for cleaning mailing lists or validating form submissions.

Email Authentication Checker (SPF, DKIM, DMARC)

Enter a domain to check its email authentication configuration. The tool validates SPF records (who can send on your behalf), DKIM records (email signatures), and DMARC policies (what to do with unauthenticated mail). Misconfigured authentication is the top reason emails land in spam.

View all 49 tools →