How to check the state of CORS

Rakib Al Hasan
2 min readAug 2, 2022

CORS = Cross Origin Resource Sharing

We’ve all run into this problem during web-development. We setup the CORS configuration on our server. We expect it to work. We use the browser to navigate to a page that uses CORS. It doesn’t work.

Photo by Usman Yousaf on Unsplash

A very simple cURL command can be used to validate your CORS configurations - quickly & reliably - without needing to navigate through browser pages.

Here is a script that I use for this purpose:

#!/usr/bin/env bash
set -euo pipefail
TARGET_URL="https://www.google.com" # for sample only
ORIGIN_HOST="https://www.example.com" # for sample only
echo "Calling: ${TARGET_URL}"
echo "From: ${ORIGIN_HOST}"
echo "----"
curl -I ${TARGET_URL} -X OPTIONS \
-H "Access-Control-Request-Method: OPTIONS" \
-H "Origin: ${ORIGIN_HOST}"
# CHECK for the "access-control-allow-" headers in the response

That’s it.

Photo by Ally Griffin on Unsplash

If the configuration works, you will get an output containing relevant access-control-allow- headers like this:

Calling:    https://www.google.com
From: https://www.example.com
----
HTTP/2 200
date: Thu, 09 Jun 2022 11:39:49 GMT
vary: Origin
access-control-allow-origin: https://www.example.com
access-control-allow-credentials: true
access-control-allow-headers: ciphertext
access-control-allow-methods: GET
access-control-max-age: 3600
content-length: 0
via: 1.1 google
alt-svc: h3=":443"; ma=2592000,h3-29=":443"; ma=2592000

If, however, the configuration does not work, you will usually get an output without such headers.

Calling:    https://www.google.com
From: https://www.example.com
----
HTTP/2 405
allow: GET, HEAD
date: Thu, 09 Jun 2022 11:46:06 GMT
content-type: text/html; charset=UTF-8
server: gws
content-length: 1592
x-xss-protection: 0
x-frame-options: SAMEORIGIN

That’s all.

--

--

Rakib Al Hasan

DevOps Engineer, Backend Developer, Cloud Architect, Night time drive-outs & nice hangouts