No. Parsing is local and clears on refresh.

Do you make actual preflights?

No. This checks header coherence only.

web validator

CORS Header Validator

Validate CORS response headers locally—origins, methods, headers, credentials, and max-age.

Results

Processing…

Status: Processing...
Details: Processing...
Allow-Origin: Processing...
Allow-Methods: Processing...
Allow-Headers: Processing...
Allow-Credentials: Processing...
Max-Age: Processing...
Issues: Processing...

How to use this validator

Paste the CORS-related response headers.
Run validate to check origin/method/header/credentials/max-age coherence.
Fix flagged conflicts (e.g., wildcard + credentials) and re-run.

Rules & checks

Access-Control-Allow-Origin is required.

Access-Control-Allow-Methods should list allowed verbs.

Access-Control-Allow-Credentials must be true/false; cannot combine '*' origin with credentials=true.

Access-Control-Max-Age must be numeric if present.

Inputs explained

HTTP response headers
Paste raw headers (one per line) from your API/CDN. Keep sensitive values out; this runs locally.

When to use it

QA API responses before deploying CORS changes
Debug frontend preflight failures
Check CDN/edge header overrides

Common errors

Wildcard origin combined with credentials=true
Missing Allow-Methods or headers
Non-numeric max-age

Limitations

Header-level validation only; does not issue real CORS requests or check preflight flows.

Tips

Avoid '*' when sending credentials
Align methods/headers with what your frontend actually sends
Keep allowed origins explicit in production

Examples

Valid

Allow-Origin: https://example.com
Allow-Methods: GET, POST
Allow-Headers: Content-Type
Allow-Credentials: true

Wildcard + credentials

Allow-Origin: * with Allow-Credentials: true -> flagged

Missing methods

No Allow-Methods -> flagged

Deep dive

This CORS validator checks Access-Control-Allow-* headers locally to catch wildcard/credentials conflicts and missing fields before browsers reject requests.

Use it to QA API/CDN headers pasted from DevTools or curl without sending them anywhere.

FAQs

Is this uploaded?: No. Parsing is local and clears on refresh.
Do you make actual preflights?: No. This checks header coherence only.

Related validators

web

HTTP Security Headers Validator

Validate core security headers (HSTS, nosniff, frame options, referrer policy, permissions policy) entirely client-side.

web

HTTP Compression Validator

Check HTTP response headers for gzip/br compression, numeric lengths, and basic ratios—client-side only.

All validation happens in your browser. No data is sent, logged, or stored.

Header-level validation only; does not issue real CORS requests.