The Problem

Every web developer has hit this:

Access to fetch at 'https://api.example.com' from origin 'http://localhost:3000' has been blocked by CORS policy

You Google "CORS checker" and find tools that just check if Access-Control-Allow-Origin: * exists. That's not enough.

Real CORS issues involve:

• Preflight requests (OPTIONS) that fail silently
• Credentials mode conflicts (credentials: true + wildcard origin = browser blocks it)
• Missing allowed methods (your POST works but PUT doesn't)
• Max-age misconfiguration (preflight cache causing stale results)

What I Built

CORS Checker — a free tool that:

1. Sends an actual OPTIONS preflight request with your test origin
2. Sends a GET request with the Origin header
3. Merges and analyzes ALL CORS headers from both responses
4. Flags security issues (like credentials + wildcard)

Example: Testing GitHub's API

Paste https://api.github.com and you'll see:

• Access-Control-Allow-Origin: * (allows all origins)
• Access-Control-Allow-Methods: GET, POST, PATCH, PUT, DELETE
• Access-Control-Max-Age: 86400 (24h preflight cache)
• Full list of allowed and exposed headers

How It Works

The API route sends two requests to the target URL:

// 1. OPTIONS preflight
const preflight = await fetch(targetUrl, {
 method: 'OPTIONS',
 headers: {
 Origin: testOrigin,
 'Access-Control-Request-Method': 'GET',
 'Access-Control-Request-Headers': 'Content-Type',
 },
});

// 2. GET with Origin
const getReq = await fetch(targetUrl, {
 method: 'GET',
 headers: { Origin: testOrigin },
});

This can't be done client-side (browsers block cross-origin requests to arbitrary URLs). The server-side proxy is what makes this tool actually useful vs asking ChatGPT.

Try It

corschecker.vercel.app — free, no signup, instant results.

Test your API endpoints before deploying. Test third-party APIs before integrating. Save yourself 30 minutes of CORS debugging.

Part of the DevTools Hub collection — 35+ free developer tools.