About

About corsverdict

A free, open checker for the question every web developer has typed into a search bar: “why is my CORS request blocked?”

CORS (Cross-Origin Resource Sharing) is the browser rule set that decides whether JavaScript on one origin may read a response from another. The errors are famously opaque, the spec is subtle, and the same request often works in curl or Postman — because CORS is enforced by the browser, not the server. Instead of firing live requests and decoding console messages, you paste the request and the server’s Access-Control-* headers, and corsverdict resolves the rules for you.

corsverdict takes your request (Origin, method, custom headers, Content-Type, credentials) and the server's Access-Control-* response headers and applies the WHATWG Fetch / CORS rules: it decides whether a preflight is required, whether the browser would allow or block the request, the exact rule that fails, and the minimal correct response headers to fix it. It evaluates statically from the headers you paste — no live request — and runs entirely in your browser. It is informational, not a security audit; always confirm against your real server and browser devtools.

It covers the failures that cause the overwhelming majority of CORS problems: a wildcard with credentials, an Origin that doesn’t match byte-for-byte (a trailing slash, http vs https, a different port), a method or header missing from the preflight allow-list, the Authorization header that the “*” wildcard never covers, and a reflected Origin without Vary: Origin.

Informational developer tool, not a security audit. It evaluates statically from what you paste and cannot see server-side redirects, proxies, or browser quirks — always confirm against your real server and the devtools Network tab. Open the checker →