Skip to content
Postman API Testing Tips

How To Test Cors Using Postman

API Testing Blog

Understanding CORS and its Importance

Cross-Origin Resource Sharing (CORS) is a mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource originated. This is crucial for modern web applications that often need to communicate with different backend servers or third-party APIs.

How to Test CORS using Postman: A Step-by-Step Guide

Postman, a popular API testing tool, offers several ways to check and test CORS functionality. Here’s a guide with practical examples:

1. Simulating a Cross-Origin Request

To test CORS, you’ll need to simulate a request from a different origin than the server hosting the API. You can achieve this by using the Postman environment variables:

  • Create a new environment: In Postman, go to “Manage Environments” and click “Add.”
  • Define origin variable: In the “Variable Key” field, enter “origin”. For the “Initial Value,” enter a valid domain different from your API’s domain. For example: http://localhost:3000.
  • Set your origin: In your request, ensure you have the correct URL for your API endpoint. Now, select your new environment and use the {{origin}} variable in the “Request URL” field.

2. Inspecting Response Headers

The key to verifying CORS functionality lies in inspecting the response headers, specifically the following:

  • Access-Control-Allow-Origin: This header indicates which origins are allowed to access the resource. It can be a specific origin or a wildcard (*).
  • Access-Control-Allow-Methods: This specifies the HTTP methods (like GET, POST, PUT, DELETE) allowed from the specified origin.
  • Access-Control-Allow-Headers: This defines which custom headers can be used in the request from the allowed origin.

Example:

Access-Control-Allow-Origin: http://localhost:3000
Access-Control-Allow-Methods: GET, POST, PUT, DELETE
Access-Control-Allow-Headers: Content-Type

3. Testing Pre-Flight Requests (OPTIONS)

For certain requests that involve complex operations or custom headers, browsers send a pre-flight OPTIONS request to the server before the actual request. This request helps the server determine if it should allow the actual request.

How to test:

  • Make an OPTIONS request: Send an OPTIONS request to your API endpoint using Postman. Use the same origin variable in the “Request URL” and ensure the “Request Method” is set to “OPTIONS”.
  • Check the response headers: Inspect the response headers for the Access-Control-Allow-Origin, Access-Control-Allow-Methods, and Access-Control-Allow-Headers.

4. Verifying Failed CORS Requests

To test that CORS works correctly, it is equally important to test scenarios where it should fail. To simulate this:

  • Set an incorrect origin: Modify the origin variable to a domain that is not allowed by your API.
  • Send the request: Send a request to your API endpoint.
  • Inspect the response: You should receive a CORS error in the response, usually with an HTTP status code of 403 (Forbidden) or 405 (Method Not Allowed).

5. Testing CORS using Different Methods

You can test CORS functionality with various HTTP methods:

  • GET: Send a GET request to your endpoint.
  • POST: Send a POST request with data.
  • PUT: Send a PUT request to update existing data.
  • DELETE: Send a DELETE request to delete data.

For each request, inspect the response headers and evaluate if the CORS configuration allows the operation.

API Testing Blog