How to check the state of CORS
2 min readAug 2, 2022
CORS = Cross Origin Resource Sharing
We’ve all run into this problem during web-development. We setup the CORS configuration on our server. We expect it to work. We use the browser to navigate to a page that uses CORS. It doesn’t work.
A very simple cURL command can be used to validate your CORS configurations - quickly & reliably - without needing to navigate through browser pages.
Here is a script that I use for this purpose:
#!/usr/bin/env bash
set -euo pipefailTARGET_URL="https://www.google.com" # for sample only
ORIGIN_HOST="https://www.example.com" # for sample onlyecho "Calling: ${TARGET_URL}"
echo "From: ${ORIGIN_HOST}"
echo "----"curl -I ${TARGET_URL} -X OPTIONS \
-H "Access-Control-Request-Method: OPTIONS" \
-H "Origin: ${ORIGIN_HOST}"# CHECK for the "access-control-allow-" headers in the response
That’s it.
If the configuration works, you will get an output containing relevant access-control-allow- headers like this:
Calling: https://www.google.com
From: https://www.example.com
----
HTTP/2 200
date: Thu, 09 Jun 2022 11:39:49 GMT
vary: Origin
access-control-allow-origin: https://www.example.com
access-control-allow-credentials: true
access-control-allow-headers: ciphertext
access-control-allow-methods: GET
access-control-max-age: 3600
content-length: 0
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000If, however, the configuration does not work, you will usually get an output without such headers.
Calling: https://www.google.com
From: https://www.example.com
----
HTTP/2 405
allow: GET, HEAD
date: Thu, 09 Jun 2022 11:46:06 GMT
content-type: text/html; charset=UTF-8
server: gws
content-length: 1592
x-xss-protection: 0
x-frame-options: SAMEORIGINThat’s all.
