Question 1

Why does this tool use a server to make requests?

Accepted Answer

Cross-origin requests made directly from a browser are blocked by the browser's own CORS policy before they even reach the server. To test your CORS configuration objectively, the request must come from a server (a Cloudflare Worker in this case) that is not subject to browser CORS restrictions.

Question 2

What is a CORS preflight request?

Accepted Answer

Before sending a cross-origin request with a non-simple method (POST, PUT, DELETE, PATCH) or custom headers, browsers send an OPTIONS request called a preflight. The server must respond with the appropriate Access-Control-Allow-* headers for the browser to proceed with the actual request.

Question 3

What does Access-Control-Allow-Origin: * mean?

Accepted Answer

A wildcard (*) allows any origin to access the resource. This is fine for public APIs, but cannot be used alongside Access-Control-Allow-Credentials: true — browsers reject that combination. Use the exact origin instead when cookies or auth headers are needed.

Question 4

Why is my preflight blocked but my GET request works?

Accepted Answer

Simple GET requests without custom headers do not trigger a preflight. Browsers send them directly and check the response headers. If your API later needs custom headers or a non-simple method, the preflight will fail if not configured.

Question 5

Is my URL or origin data stored anywhere?

Accepted Answer

No. The request is proxied through a Cloudflare Worker for this test only. No URLs, origins, or response data are logged or stored.

CORS Tester

Common Use Cases

Frequently Asked Questions

Related Tools