Note: Browser-based CORS testing is limited. The browser enforces CORS policies, so if the server does not allow your origin, the request will fail and response headers will be hidden. For comprehensive testing, use curl -v from your terminal.
Access-Control-Allow-Origin: The allowed origin(s), e.g. * or https://yourdomain.com
Access-Control-Allow-Methods: Allowed HTTP methods, e.g. GET, POST, PUT
Access-Control-Allow-Headers: Allowed request headers, e.g. Content-Type, Authorization
Access-Control-Allow-Credentials: Set to true if cookies/auth needed
browserutils
CORS Tester