CORS Preflight Inspector

Tell us about a fetch() call. We'll show whether the browser will fire a CORS preflight, what the OPTIONS request looks like on the wire, and — once you've pasted the response headers back in — whether they'd actually let the request through. Every misconfiguration ships with a one-line fix. Pure client-side, no upload.

Request

Request headers

One per row, in the order the browser would send them. Click + Add header to add a row.

Request body (optional)

Preflight verdict

Is it CORS-safelisted?

Fill in the request above to see whether the browser will preflight it.

Why it triggers a preflight
  • No preflight triggers (yet).
Preflight OPTIONS request

Response check

Paste the Access-Control-* response headers the server actually returned (one per line, in Name: value form). Or paste a full response block — we'll ignore the status line and body.

Quick reference

Simple request
A fetch the browser sends without a preflight. Must be GET, HEAD, or POST; may only set Accept, Accept-Language, Content-Language, Content-Type (with a restricted value), and a handful of device hints; and may not include credentials.
Preflight
An OPTIONS request the browser sends first when the real request is not CORS-safelisted. The server must approve it before the browser sends the real request.
Access-Control-Allow-Origin
Either the exact requesting origin, or * for public reads. The wildcard is forbidden when credentials are on.
Access-Control-Allow-Methods
Comma-separated methods the server is willing to handle at this URL. The wildcard is not allowed here.
Access-Control-Allow-Headers
Comma-separated request header names the server is willing to read. The wildcard works for non-credentialed requests.
Access-Control-Allow-Credentials
Set to true only when the server wants cookies / HTTP auth on cross-origin requests.
Vary: Origin
Advisory. If Allow-Origin is dynamic (not *), shared caches need Vary: Origin to avoid serving one origin's response to another.