How to Test CORS header

Question

Our application supports CORS configurations headers. I have configured testApp separately on two different hosts. Both the setups work independent of each other. Application on host1 is configured with CORS header Access-Control-Allow-Origin to pointing to application on host2. When I access the application pages of host2 am expecting it to show Access-Control-Allow-Origin header in response. But which is missing.

How to test to CORS headers to confirm its working properly or coded properly to support cross domain resource sharing.

What about using cUrl? https://stackoverflow.com/a/12179364 – Ash Aug 27 '20 at 10:31 — Ash, Aug 27 '20 at 10:31

score 27 · Answer 1 · answered Oct 24 '21 at 05:56

You can leverage the fetch provided by the browser debugger (F12 on Chrome and Firefox, then go to console):

fetch('https://google.ca')

If you get a CORS error then that means the current site you opened your debugger with (Origin) is not included in the Access-Control-Allow-Origin header by the site you're fetching from.

score 21 · Answer 2 · edited Apr 05 '23 at 00:55

21

You could test it with cUrl from terminal.

curl -v --request OPTIONS 'https://your-host.here' -H 'Origin: http://some.origin.here' -H 'Access-Control-Request-Method: GET'

edited Apr 05 '23 at 00:55

crizCraig

8,487
6
54
53

answered Jul 23 '21 at 09:49

het

781
9
16

RudyD · Answer 3 · 2019-06-21T16:32:45.807

13

If your application returns the header: Access-Control-Allow-Origin then it should work. In my particular use case I set it to "*".

Otherwise testing will show an error, viewable from a browser console. It will say something like: Access to ... has been blocked by CORS policy

CORS not enabled error message from browser console - screen grab

You can test if the CORS headers are working properly using your browser. I used this one and hope this helps. You will find the instructions in it. https://github.com/cactuz/cors-tester-from-browser

edited Jun 21 '19 at 16:32

answered Jun 21 '19 at 15:13

RudyD

667
7
11

4

There are extremely few use cases in which you want to set `Access-Control-Allow-Origin: *`. This will essentially disable authentication for your application, as any website can now hijack your users' sessions. – ATOMP Aug 04 '20 at 15:01
4

@ATOMP albeit the * value is not recommend, ACAO header has nothing to do with authentication and no modern website is using this header as an authentication method. – Ofer B Aug 28 '21 at 02:34
@OferB I think you might have missed the point. If you set Access-Control-Allow-Origin: * it becomes trivial to use XSS to hijack user sessions, thus essentially disabling authentication. – stoj May 05 '22 at 14:49

score -5 · Answer 4 · answered Jul 19 '18 at 15:37

-5

You can test it with any rest client like POSTMAN Rest Client, or simply you can check it from browser console - > Network tab -> in xhr filter - check the header for the particular request. you can check request and response.

answered Jul 19 '18 at 15:37

Krishnavadan Raval

45
4

13

No, you can't test CORS with Postman. https://stackoverflow.com/a/36486188/1811043 – Michael Malinovskij Feb 07 '20 at 11:04
3

Why can't you? Can't you look at the header of the response to see? You can look for "access-control-allow-origin". – Gina Marano Jun 26 '20 at 06:32
1

Postman is always 'same origin', so it is not a real test – Apurva Singh Jan 24 '21 at 23:44
5

If the "Origin" header is set in the request, the server will send CORS headers back even to postman client. – Gaurav51289 Apr 01 '21 at 00:16
Also send "Access-Control-Request-Method" in the request header – Francisco Cardoso Mar 27 '23 at 17:08

How to Test CORS header

4 Answers4