Cross-Origin Resource Sharing (CORS) is the browser mechanism that decides whether JavaScript on one origin may read a response from another. It is controlled entirely by Access-Control-* response headers, and small mistakes can either break legitimate requests or open serious security gaps. This tool parses pasted CORS headers and explains in plain English exactly what they permit — and flags dangerous combinations that browsers will reject or that would expose authenticated data.
The six CORS response headers
The tool reads and interprets each recognised header against the CORS specification:
| Header | What it controls |
|---|---|
Access-Control-Allow-Origin | Which origin(s) may read the response — a specific origin or * for any |
Access-Control-Allow-Methods | HTTP methods permitted on the actual request (POST, PUT, DELETE, etc.) |
Access-Control-Allow-Headers | Request headers the client may include (e.g. Authorization, Content-Type) |
Access-Control-Allow-Credentials | Whether cookies, auth headers, or TLS client certs are allowed — must not be true with a wildcard origin |
Access-Control-Max-Age | Seconds the browser may cache the preflight result before re-checking |
Access-Control-Expose-Headers | Response headers JavaScript is allowed to read (by default only a small safe set is visible) |
Validation rules the tool enforces
Several combinations are outright invalid under the CORS spec:
- Wildcard + credentials:
Access-Control-Allow-Origin: *combined withAccess-Control-Allow-Credentials: trueis rejected by all major browsers. The browser will not expose the response to JavaScript. The fix: echo the specific requesting origin instead of*when credentials are involved. Allow-Headers: *with credentials: Also invalid — the wildcard for headers cannot be used alongside credentials.SameSite=Nonecookies on CORS requests: The cookie must also beSecureor it will be dropped, silently breaking authenticated cross-origin calls.
Worked example
Paste these headers and the tool raises a warning:
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
Explanation: any origin may attempt to read the response, but because credentials are also allowed, browsers will block the response — this combination is forbidden. The corrected headers for an authenticated API:
Access-Control-Allow-Origin: https://app.example.com
Access-Control-Allow-Credentials: true
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type, Authorization
Access-Control-Max-Age: 600
This allows only one specific origin, which the server must generate dynamically from an allowlist matching the incoming Origin request header.
Common debugging scenarios
- CORS error on a credentialed fetch: Almost always
*origin with credentials — switch to echoing the specific origin. - Preflight failing on a custom header: The header must be listed in
Allow-Headers.Authorizationis the most frequently forgotten. - Custom response header not readable by JS: Add it to
Access-Control-Expose-Headers. Response headers are hidden from scripts by default unless explicitly exposed.
Nothing you paste leaves your browser — the parsing and validation run entirely in JavaScript on your device.