CORS Header Builder & Preflight Tester

Build a browser-facing CORS policy, generate the exact Access-Control-Allow-* headers, and simulate whether a request or preflight would pass. Good for APIs, webhooks, dashboards, and the endless "why is the browser mad at me" loop.

Header builder Preflight simulator Credentials checks Local-only browser tool

Policy builder

Describe the browser request and your intended policy. The tool generates headers, explains the outcome, and highlights contradictions.

Request origin

Target URL

Request method

Request headers

Allowed origins

Allowed methods

Allowed request headers

Exposed response headers

Preflight max age (seconds)

Private network access

Allow-Origin strategy

Allow credentialsSends Access-Control-Allow-Credentials: true. Needed for cookies or HTTP auth in browser requests.

Send Vary: OriginRecommended whenever the allow-origin value changes by requester origin.

Simulate Access-Control-Request-Private-NetworkUseful for local/LAN targets in newer Chromium flows.

Force preflight simulationEven if the request looks simple, model the OPTIONS check anyway.

Request typeSimple request

PreflightNot required

Policy resultPass

Warnings0

Generated headers

Response headers

Sample OPTIONS preflight

Preflight curl

Browser outcome

CORS rules Header matching Credential safety

Decision

This request should pass with the generated policy.

Why

- Waiting for input…

Warnings & fixes

- No warnings yet.