CORS SEO Validator — API Origin Trust Checker

How to use this validator

1. Capture headers with DevTools Network, curl -I, or an OPTIONS preflight request against the exact API route and origin pair you are shipping.
2. Paste only the response headers and run the validator to check origin, credentials, methods, allowed headers, and max-age coherence.
3. Fix flagged conflicts in your framework route, serverless function, reverse proxy, or CDN rule, then retest the final redirected production/preflight response.

When to use it

• QA public API responses before launching a new app shell, account flow, checkout, lead-capture form, webhook debugger, or validator page.
• Compare Vercel preview and production CORS behavior before merging frontend changes that introduce new origins or headers.
• Debug browser fetch failures where server logs show 200s but DevTools reports origin, credentials, or preflight rejection.
• Pair CORS QA with security headers, CSP, compression, performance budget, manifest, favicon, Open Graph, JSON-LD, canonical, sitemap, and robots validation.

Common errors

• Using Access-Control-Allow-Origin: * together with Access-Control-Allow-Credentials: true on login, checkout, dashboard, or saved-account APIs.
• Testing only GET while the real browser failure is the OPTIONS preflight for POST, PATCH, DELETE, Authorization, or Content-Type: application/json.
• Forgetting Authorization, Content-Type, X-CSRF-Token, tenant, or analytics headers in Access-Control-Allow-Headers after a frontend release.
• Different CORS headers between localhost, Vercel preview, production, CDN cache hits, and API route/middleware layers.
• Returning CORS headers on success responses but not errors, redirects, 204 OPTIONS responses, or edge/runtime exceptions.

Limitations

• Does not fetch a URL, issue a real preflight, test cookies, verify SameSite/Secure flags, or reproduce browser cache state.
• Cannot prove every route variant is covered; test success, failure, redirect, OPTIONS, cached CDN, and authenticated API paths separately.
• Does not replace a browser DevTools run, integration test, or CDN/platform configuration review for complex multi-origin apps.

Tips

• Keep production origins explicit for credentialed requests, and review wildcard usage separately for public, unauthenticated, cacheable APIs.
• Test OPTIONS responses as well as the final GET/POST response; browsers can fail before the application handler runs.
• Include every header your frontend sends, especially Authorization, Content-Type, X-CSRF-Token, and custom tenant/source headers.
• Check the final CDN/edge layer after redirects and rewrites; framework defaults, middleware, and cache rules can overwrite route-level headers.
• Use a short staged max-age during rollout, then raise it only after production and preview origins have been verified.

Examples

Deep dive

FAQs

Does this fetch my API?

No. It only parses pasted headers in your browser, so private endpoints and preview URLs are not requested by allthevalidators.com.

Can wildcard origins be okay?

Sometimes for public, unauthenticated, cacheable reads. Do not combine '*' with credentials=true, and avoid wildcards for login, account, checkout, or user-data APIs.

Why does my server show 200 while the browser fails?

CORS is enforced by the browser. A successful server response can still be hidden from frontend code if origin, credentials, methods, or requested headers do not match the browser's CORS rules.

Should I test OPTIONS separately?

Yes. POST, Authorization, JSON bodies, custom headers, and non-simple methods often trigger OPTIONS preflights that can use different headers than the final API response.

Related validators