CORS Tester

CORS (Cross-Origin Resource Sharing, Fetch spec) is the browser's mechanism for controlling whether JavaScript on one origin can read responses from another. This tool fires a real fetch from your browser to the URL you specify and reports one of three verdicts: CORS allowed (response readable), CORS blocked (endpoint exists but refused this origin), or unreachable (network/TLS/CSP failure).

When CORS is allowed, the tool shows every response header your browser exposes — but note that browsers hide non-safelisted headers unless the server explicitly opts in via Access-Control-Expose-Headers. The equivalent curl command is always printed so you can verify the full wire response outside the browser sandbox.

Request headers (one per line, Key: Value)

What this tool tells you

Verdict at a glance

Allowed, blocked, or unreachable — with timing and a one-line explanation, so you know whether to fix the server, the request, or the network.

Opaque-probe distinction

When the CORS request fails, the tool follows up with a no-cors request. If that succeeds, the endpoint exists and is just refusing the origin — a different fix from a network failure.

Curl-equivalent output

The browser hides response headers that aren't CORS-exposed. The printed curl command lets you verify the actual server response from any terminal.