CORS Preflight Tester
Simulate browser CORS preflight OPTIONS requests and analyze response headers
Send an OPTIONS preflight to a target URL with a simulated origin, method, and requested headers. Reports which CORS response headers are present, missing, or misconfigured relative to what the browser would require.
Features
- POST /test - simulate Access-Control-Request-Method/Headers preflight
- Analyzes Allow-Origin, Allow-Methods, Allow-Headers, Allow-Credentials
- Returns actionable pass/fail per header requirement
API Reference
POST /test
url string (required) - Target URL (http or https).
origin string (required) - Simulated Origin header value.
method string (required) - Intended request method (e.g. POST).
headers string[] (optional) - Request headers for preflight (e.g. ["Content-Type"]).
Example Request
curl -X POST "https://your-worker.workers.dev/test" \
-H "Content-Type: application/json" \
-d '{"url":"https://api.example.com/data","origin":"https://app.example.com","method":"POST","headers":["Content-Type"]}'Error Codes
400-INVALID_BODY,INVALID_URL,INVALID_ORIGIN,INVALID_METHOD502-PREFLIGHT_ERROR
Use Cases
- Debug why a browser blocks cross-origin API calls
- Validate CORS headers before deploying a new frontend origin
- Compare preflight behavior across staging and production APIs
Limitations
- Simulates preflight from Workers egress, not from an end-user browser network
- Does not follow complex redirect chains for OPTIONS
- Single preflight scenario per request
Deployment
Configure bindings
See wrangler.json and the experiment README for required bindings.
Test your deployment
See the experiment README for curl examples.
Local Development
cd apps/experiments/cors-preflight-tester
npm install
npm run devConfiguration
No bindings required beyond the Workers runtime.