CORS Tester & Generator
5 tabs (Header Builder / Preflight Simulator / Analyze Response / Live Test / Reference). 10 snippet formats (raw HTTP, Express, Next.js, Nginx, Apache, FastAPI, Flask, Spring Boot, Caddy). Best-practice validator, visual preflight flow with step-by-step rule checks, real fetch-based live testing.
Quick recipes
Load a sensible baseline for a common scenario, then tweak.
CORS configuration
Build the Access-Control-Allow-* response headers your server should send.
Wildcard — allows every origin. Cannot be combined with credentials.
Comma-separated list. Browser-controlled headers (Cookie, Origin, Host…) are ignored if listed.
Response headers JS can read. Safelisted ones (Content-Type, Cache-Control, etc.) are always readable.
Chrome caps at 7200s, Firefox at 86400s, Safari at 600s.
Generated headers
Pick a format and drop it into your server, edge or middleware.
HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST
Access-Control-Allow-Headers: Content-Type
Access-Control-Max-Age: 600Best-practice review
Common CORS pitfalls and spec conflicts.
Looks good. No common CORS issues detected.