Skip to main content

To test CORS using curl, you can simulate both preflight (OPTIONS) and actual GET/POST requests by setting custom headers.

✅ 1. Test Preflight (OPTIONS) Request

This simulates a browser preflight request: 
curl -i -X OPTIONS https://x.x.com \
  -H "Origin: https://example.com" \
  -H "Access-Control-Request-Method: GET" \
  -H "Access-Control-Request-Headers: Content-Type, Authorization"

✅ You should see response headers like:

HTTP/1.1 204 No Content
Access-Control-Allow-Origin: *
Access-Control-Allow-Methods: GET, POST, OPTIONS, PUT, DELETE
Access-Control-Allow-Headers: Origin, Content-Type, Accept, Authorization
Access-Control-Allow-Credentials: true

✅ 2. Test Actual GET Request with CORS

This simulates a CORS request from a browser-based client: 
curl -i -X GET https://x.x.com \
  -H "Origin: https://example.com"
You should see a successful HTTP 200 (or similar) with: 
Access-Control-Allow-Origin: *

✅ 3. Test CORS Denial Case (For Comparison)

To validate that CORS is working as expected (not always open), try from an origin that should be blocked (if you configured a specific origin): 
curl -i -X GET https://x.x.com \
  -H "Origin: https://unauthorized.com"
You should not see Access-Control-Allow-Origin in the response if the origin is restricted.

🧪 Optional: Verbose Debugging

curl -i -v -X OPTIONS https://x.x.com \
  -H "Origin: https://example.com" \
  -H "Access-Control-Request-Method: GET"
This shows SSL negotiation, redirects, and response headers line by line.