CORS Testing Examples with Postman

Learn how to test CORS configurations using Postman through practical examples.
By Jamie

Introduction to CORS Testing

Cross-Origin Resource Sharing (CORS) is a security feature implemented by browsers to restrict web pages from making requests to a different domain than the one that served the web page. When developing APIs, it’s crucial to configure CORS correctly to ensure that your resources can be accessed by authorized domains. In this article, we present three practical examples of testing CORS configurations using Postman.

Example 1: Testing Basic CORS Configuration

Context

In this example, we’ll test a simple API that has CORS enabled for a specific origin, allowing requests only from that origin.

To verify that the CORS settings are functioning as expected, we will attempt a request from a different origin and observe the response.

Example

  1. Open Postman and create a new request.
  2. Set the request method to GET.
  3. Enter the API endpoint URL (e.g., https://api.example.com/data).

  4. Go to the Headers tab and add a new header:

    • Key: Origin
    • Value: https://unauthorized-origin.com
  5. Click Send to execute the request.

  6. Observe the response:

    • If the CORS configuration is correct, you should receive a response indicating that the request is forbidden (HTTP status code 403).

Notes

  • You can replace https://unauthorized-origin.com with any origin that is not authorized to access the API.
  • This test confirms that the API does not allow requests from unauthorized origins.

Example 2: Testing CORS with Allowed Origin

Context

In this example, we will test an API that allows requests from a specific origin. We will use Postman to send a request from that authorized origin and check the response headers for CORS.

Example

  1. Create a new request in Postman and set it to GET.
  2. Enter the API endpoint URL (e.g., https://api.example.com/data).

  3. In the Headers tab, add the following header:

    • Key: Origin
    • Value: https://authorized-origin.com
  4. Click Send to execute the request.

  5. Check the response headers:

    • Look for Access-Control-Allow-Origin and ensure it includes https://authorized-origin.com.
    • The response should also return a successful status code (e.g., 200).

Notes

  • Adjust the Origin header value to match the allowed origin configured in your API.
  • This test ensures that the API correctly permits requests from authorized origins.

Example 3: Testing Preflight Requests

Context

CORS preflight requests are sent by browsers before making certain types of requests (like PUT or DELETE). This example demonstrates how to simulate a preflight request using Postman to check if the server handles it correctly.

Example

  1. Create a new request in Postman and set it to OPTIONS.
  2. Enter the API endpoint URL (e.g., https://api.example.com/data).

  3. In the Headers tab, add the following headers:

    • Key: Origin
    • Value: https://authorized-origin.com
    • Key: Access-Control-Request-Method
    • Value: POST
  4. Click Send to execute the request.

  5. Examine the response:

    • Verify that the Access-Control-Allow-Methods header includes POST (or the method you specified).
    • Ensure the response has a status code of 200 or 204 for successful preflight checks.

Notes

  • This example is crucial for testing APIs that require preflight checks before processing complex requests.
  • You may need to adjust the Access-Control-Request-Method header based on your API’s capabilities.

By following these examples of testing CORS configurations using Postman, developers can ensure that their APIs are secure and function correctly across different origins.