How to check the state of CORS

CORS = Cross Origin Resource Sharing

We’ve all run into this problem during web-development. We setup the CORS configuration on our server. We expect it to work. We use the browser to navigate to a page that uses CORS. It doesn’t work.

Photo by Usman Yousaf on Unsplash

A very simple cURL command can be used to validate your CORS configurations - quickly & reliably - without needing to navigate through browser pages.

Here is a script that I use for this purpose:

#!/usr/bin/env bash
set -euo pipefail
TARGET_URL="" # for sample only
ORIGIN_HOST="" # for sample only
echo "Calling: ${TARGET_URL}"
echo "From: ${ORIGIN_HOST}"
echo "----"
-H "Access-Control-Request-Method: OPTIONS" \
-H "Origin: ${ORIGIN_HOST}"
# CHECK for the "access-control-allow-" headers in the response

That’s it.

Photo by Ally Griffin on Unsplash

If the configuration works, you will get an output containing relevant access-control-allow- headers like this:

HTTP/2 200
date: Thu, 09 Jun 2022 11:39:49 GMT
vary: Origin
access-control-allow-credentials: true
access-control-allow-headers: ciphertext
access-control-allow-methods: GET
access-control-max-age: 3600
content-length: 0
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

If, however, the configuration does not work, you will usually get an output without such headers.

HTTP/2 405
allow: GET, HEAD
date: Thu, 09 Jun 2022 11:46:06 GMT
content-type: text/html; charset=UTF-8
server: gws
content-length: 1592
x-xss-protection: 0
x-frame-options: SAMEORIGIN

That’s all.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syed Rakib Al Hasan

DevOps Engineer, Backend Developer, Cloud Architect, Night time drive-outs & nice hangouts