• Skip to primary navigation
  • Skip to main content
Sal Ferrarello
  • About Sal Ferrarello
  • Speaking
  • Connect
    Mastodon GitHub Twitter (inactive)
You are here: Home / Dev Tips / Check CORS Value from Command Line

Check CORS Value from Command Line

Last updated on November 11, 2021 by Sal Ferrarello

I was checking a number of URL endpoints for CORS restrictions today and I wondered if I could check from the command line. Here are some example curl statement that get me the information I’m looking for. I think there is an opportunity for a custom function here but for now, these notes will do.

Example With No Restrictions

Since the access-control-allow-origin value is *, any site is allowed.

curl -I -H "Origin: https://salcode.test" \
--verbose 'https://api.weather.gov/gridpoints/TOP/31,80/forecast' \
2>&1 | grep -i 'access-control-allow-origin:'

Result

< access-control-allow-origin: *
access-control-allow-origin: *

Example with Approving Origin Site

Whatever Origin value is sent as a header is also returned as the access-control-allow-origin value.

As long as the correct Origin value is sent as a header, the requesting site is allowed.

curl -I -H "Origin: https://salcode.test" \
--verbose 'https://salferrarello.com/wp-json/wp/v2/posts/' \
2>&1 | grep -i 'access-control-allow-origin:'

Result

< access-control-allow-origin: https://salcode.test
access-control-allow-origin: https://salcode.test

Example With Default Restrictions

When no access-control-allow-origin value is returned, the default CORS restrictions are in place. Only the site (www.bcferriesapi.ca) is allowed.

curl -I -H "Origin: https://salcode.test" \
--verbose 'https://www.bcferriesapi.ca/api/tsawwassen/' \
2>&1 | grep -i 'access-control-allow-origin:'

No Result

JavaScript

Another related trick I use to check for CORS is running a fetch() of the URL in the browser console.

With CORS Restrictions

With CORS restrictions, the fetch() will fail.

await fetch('https://www.bcferriesapi.ca/api/tsawwassen/')

JavaScript fetch() call from the browser console, failing due to CORS.

Without CORS Restrictions

Without CORS restrictions, the fetch() will successfully return a response.

await fetch('https://api.weather.gov/gridpoints/TOP/31,80/forecast')

JavaScript fetch() to URL without CORS restrictions.

Sal Ferrarello
Sal Ferrarello (@salcode)
Sal is a PHP developer with a focus on the WordPress platform. He is a conference speaker with a background including Piano Player, Radio DJ, Magician/Juggler, Beach Photographer, and High School Math Teacher. Sal can be found professionally at WebDevStudios, where he works as a senior backend engineer.

Share this post:

Share on TwitterShare on FacebookShare on LinkedInShare on EmailShare on Reddit
Warning! This is a draft, not a finalized post. See full draft disclosure.

Filed Under: Dev Tips, Draft, Programming Tagged With: CORS, curl

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Copyright © 2023 · Bootstrap4 Genesis on Genesis Framework · WordPress · Log in