How to Test CORS header

Question

Our application supports CORS configurations headers. I have configured testApp separately on two different hosts. Both the setups work independent of each other. Application on host1 is configured with CORS header Access-Control-Allow-Origin to pointing to application on host2. When I access the application pages of host2 am expecting it to show Access-Control-Allow-Origin header in response. But which is missing.

How to test to CORS headers to confirm its working properly or coded properly to support cross domain resource sharing.

What about using cUrl? https://stackoverflow.com/a/12179364 – Ash Aug 27 '20 at 10:31 — Ash, Aug 27 '20 at 10:31

RudyD · Answer 1 · 2019-06-21T16:32:45.807

8

If your application returns the header: Access-Control-Allow-Origin then it should work. In my particular use case I set it to "*".

Otherwise testing will show an error, viewable from a browser console. It will say something like: Access to ... has been blocked by CORS policy

CORS not enabled error message from browser console - screen grab

You can test if the CORS headers are working properly using your browser. I used this one and hope this helps. You will find the instructions in it. https://github.com/cactuz/cors-tester-from-browser

edited Jun 21 '19 at 16:32

answered Jun 21 '19 at 15:13

RudyD

497
6
10

4

There are extremely few use cases in which you want to set `Access-Control-Allow-Origin: *`. This will essentially disable authentication for your application, as any website can now hijack your users' sessions. – ATOMP Aug 04 '20 at 15:01
4

@ATOMP albeit the * value is not recommend, ACAO header has nothing to do with authentication and no modern website is using this header as an authentication method. – Ofer B Aug 28 '21 at 02:34
@OferB I think you might have missed the point. If you set Access-Control-Allow-Origin: * it becomes trivial to use XSS to hijack user sessions, thus essentially disabling authentication. – stoj May 05 '22 at 14:49

score 7 · Answer 2 · edited Jan 17 '22 at 18:33

7

You could test it with cUrl from terminal.

curl -v --request OPTIONS **'localhost:3000'** --header 'Origin: **http://some.origin.here**'; --header 'Access-Control-Request-Method: GET'

edited Jan 17 '22 at 18:33

Avi

1,223
8
31

answered Jul 23 '21 at 09:49

het

484
7
11

score 2 · Answer 3 · answered Oct 24 '21 at 05:56

You can leverage the fetch provided by the browser debugger (F12 on Chrome and Firefox, then go to console):

fetch('https://google.ca')

If you get a CORS error then that means the current site you opened your debugger with (Origin) is not included in the Access-Control-Allow-Origin header by the site you're fetching from.

score -4 · Answer 4 · answered Jul 19 '18 at 15:37

-4

You can test it with any rest client like POSTMAN Rest Client, or simply you can check it from browser console - > Network tab -> in xhr filter - check the header for the particular request. you can check request and response.

answered Jul 19 '18 at 15:37

Krishnavadan Raval

49
4

11

No, you can't test CORS with Postman. https://stackoverflow.com/a/36486188/1811043 – Michael Malinovskij Feb 07 '20 at 11:04
3

Why can't you? Can't you look at the header of the response to see? You can look for "access-control-allow-origin". – Gina Marano Jun 26 '20 at 06:32
1

Postman is always 'same origin', so it is not a real test – Apurva Singh Jan 24 '21 at 23:44
4

If the "Origin" header is set in the request, the server will send CORS headers back even to postman client. – Gaurav51289 Apr 01 '21 at 00:16

How to Test CORS header

4 Answers4