What is a CORS preflight request?

A preflight is an OPTIONS request the browser sends before the actual request to check if the server allows the cross-origin request. It is triggered by non-simple methods (PUT, PATCH, DELETE) or custom headers.

Why does CORS block my request?

CORS blocks requests when the server response does not include the correct Access-Control-Allow-Origin header matching your page origin, or when required methods/headers are not listed in the preflight response.

Can I use Access-Control-Allow-Origin: * with credentials?

No. When the request includes credentials (cookies, HTTP auth), the server must respond with the specific origin, not the wildcard *. The browser will block the response otherwise.

What is a simple request in CORS?

A simple request uses GET, HEAD, or POST with only safe headers (Accept, Accept-Language, Content-Language, Content-Type with form/text values). Simple requests skip the preflight check.

Tools

CORS Debugger

Simulate a cross-origin request to see if it will succeed or be blocked by the browser. Configure both the client request and server response headers to understand the full CORS flow.

🌐 Client (Browser)

Page origin

Request URL

Method

Custom headers (comma-separated)

Content-Type (optional)

Include credentials (cookies)

🖥️ Server (Response Headers)

Access-Control-Allow-Origin

Access-Control-Allow-Methods

Access-Control-Allow-Headers

Access-Control-Max-Age

Access-Control-Allow-Credentials: true

CORS Reference

Read the full CORS guide for a deep dive into how cross-origin requests work. See also the individual header references: Access-Control-Allow-Origin, Access-Control-Allow-Methods, Access-Control-Allow-Headers, Access-Control-Allow-Credentials, Access-Control-Max-Age.