// tools

CORS tester

Paste a target URL. The tester fires a real CORS preflight (OPTIONS) and a follow-up GET from your browser, parses the response, and tells you in plain English what your server is missing or returning wrong. No proxy, no server-side fetch — because CORS is a browser policy and only a real browser request reproduces it.

Target URL

Method

Credentials

Custom request headers (one per line, "Name: value")

What does this check?

Preflight — an OPTIONS request with the headers your real fetch would send. We surface whether the server returnsAccess-Control-Allow-Origin,Access-Control-Allow-Methods, and (when you pass custom headers)Access-Control-Allow-Headerswith the right values for the origin you supplied.
Real fetch — a follow-up GET (or POST / PUT / DELETE) so you see what your actual code path will see, not just the preflight result.
Credentials mode— if you toggle "send credentials", the tester fires withcredentials: 'include'and verifies the server returnsAccess-Control-Allow-Credentials: truewith a non-wildcard origin (the spec forbids*with credentials).

Targeting your localhost?

A browser running this page can't fetchhttp://localhost:3000(mixed-content blocked from this https page) — and that's a bigger truth: in production your site runs on https, so the server you're calling has to also speak https. Tunnel your local server with a real cert and test against the public URL — same posture as prod.

$ lrok http 3000
  Forwarding https://violet-mole.lrok.io -> http://127.0.0.1:3000

Then paste https://violet-mole.lrok.io/api/your-route as the target URL above. Next.js walkthrough →