CORS API
Build correct CORS response headers and evaluate preflight requests — without re-reading the spec every time. The headers endpoint turns a simple policy (allowed origins, methods, request headers, whether credentials are allowed, a preflight max-age and any exposed response headers) into the exact set of Access-Control-* headers to return, and it handles the parts people get wrong: you cannot combine a wildcard origin with credentials, so it reflects the specific request origin and adds Vary: Origin instead; it omits the allow-origin header when an origin is not on your list; and it warns when a configuration would not behave as expected. The check endpoint takes an incoming request — its Origin, the (requested) method and the Access-Control-Request-Headers — and tells you whether it would pass CORS, the precise reason if it fails, and the response headers you should send back. Everything is computed locally and deterministically, so it is instant and private. Ideal for API gateways and backends, edge and serverless functions, debugging browser CORS errors, and getting a security policy exactly right. Pure local computation — no key, no third-party service, instant. Live, nothing stored. 3 endpoints. This builds and checks the headers; it does not make a cross-origin request — to inspect a live site's security headers use a security-headers API.
api.oanor.com/cors-api
