About corsverdict

CORS is the browser rule set that decides whether JavaScript on one origin may read a response from another. The errors are opaque, the spec is subtle, and the same request often works in curl or Postman — because CORS is enforced by the browser, not the server. Instead of firing live requests and decoding console messages, you paste the request and the server’s Access-Control-* headers, and corsverdict resolves the rules.

corsverdict takes your request (Origin, method, custom headers, Content-Type, credentials) and the server's Access-Control-* response headers and applies the WHATWG Fetch / CORS rules: it decides whether a preflight is required, whether the browser would allow or block the request, the exact rule that fails, and the minimal correct response headers to fix it. It evaluates statically from the headers you paste — no live request — and runs entirely in your browser. It is informational, not a security audit; always confirm against your real server and browser devtools.

It covers the common failures: a wildcard with credentials, an Origin that doesn’t match byte-for-byte (trailing slash, http vs https, port), a method or header missing from the preflight allow-list, the Authorization header the “*” wildcard never covers, and a reflected Origin without Vary: Origin.

Informational developer tool, not a security audit. Confirm against your real server and devtools.