CORS Header Validator
Paste your CORS response headers or fill the fields, and get a per-header check with pass, warn, and fail findings. Runs in your browser with no requests sent.
About the CORS Header Validator
The CORS Header Validator checks the Cross-Origin Resource Sharing headers on an HTTP response and tells you whether they are set up correctly. Paste raw response headers or fill in the fields, and the tool reports a pass, warn, or fail finding for each header with a short reason. It is built for developers and WordPress and API integrators who need to confirm a CORS setup or debug a blocked request. Everything runs in your browser. It reads only the text you provide and makes no requests to your server or any other site.
How it works
- Choose a mode: paste raw response headers (one per line as Header-Name: value), or fill the individual fields for origin, methods, headers, and credentials.
- Enter your values, or click Load sample to see an example with a common mistake.
- Click Check to analyze the input. Each header gets a pass, warn, or fail badge with a plain explanation.
- Read the findings and the summary line, then fix any fail or warn items in your server config.
Features
- Two input modes: paste raw headers, or fill labeled fields.
- Per-header findings with pass, warn, and fail badges and a short reason for each.
- Flags the unsafe combination of Access-Control-Allow-Origin: * with Access-Control-Allow-Credentials: true.
- Catches missing, empty, malformed, and overly broad values, and confirms safe setups.
- Runs fully in the browser with no network requests, so nothing you paste is sent anywhere.
Frequently asked questions
Does this tool fetch headers from a live URL?
No. It only analyzes the header text you paste or type. It does not contact your server or make any cross-origin request, so it works on internal setups and never sends your data anywhere.
Why is Access-Control-Allow-Origin: * with credentials flagged as a fail?
Browsers reject a credentialed response when the allowed origin is the wildcard *. When Access-Control-Allow-Credentials is true, you must return a single specific origin, such as https://app.example.com, instead of *.
Can I list several origins in Access-Control-Allow-Origin?
No. The header accepts a single origin or the wildcard *, not a comma-separated list. To support multiple origins, check the request Origin header on the server and echo back the matching one.
Why does it warn when OPTIONS is missing from the methods?
Non-simple cross-origin requests trigger a preflight OPTIONS request. If OPTIONS is not in Access-Control-Allow-Methods and not handled by the server, the preflight can fail and the real request is blocked.
What is a safe CORS setup?
For a public, read-only API, Access-Control-Allow-Origin: * with no credentials is fine. For authenticated requests, return one specific origin, set Access-Control-Allow-Credentials: true, and list the exact methods and headers you allow rather than using wildcards.