How do I debug CORS and security headers?

Short answer: Capture the exact response headers for the failing request, then check origin, credentials, allowed methods, CSP, cookie flags, and caching rules together.

Steps

1. Paste the response headers from the failing browser request.
2. Check Access-Control-Allow-Origin, credentials, methods, and preflight behavior.
3. Inspect CSP, HSTS, X-Content-Type-Options, frame protection, and referrer policy.
4. Review Set-Cookie flags such as Secure, HttpOnly, SameSite, Domain, Path, and expiry.

Related tools